Don't Secure Your Android Phone with a Pattern Lock
A new study suggests that nearby observers can suss out pattern locks on Android phones up to 80 percent of the time.
If you’ve ever seen your friend unlock his or her phone with a pattern lock and thought, “I could hijack that phone,” you were probably right.
A new study suggests that nearby observers can suss out pattern locks on Android phones up to 80 percent of the time, and all they need to do is watch the user input the pattern once or twice. If you want to protect your phone, you’ll need to use a 6-digit PIN instead, which can flummox nearly 90 percent of nosy onlookers.
The information comes from a study entitled “Towards Baselines for Shoulder Surfing on Mobile Authentication,” written by academics at the United States Naval Academy and the University of Maryland.
While their paper isn’t exactly beach reading, its contents are pretty interesting if you’ve ever wondered whether the pretty pattern you use to secure your phone’s home screen is really keeping anything safe. Short answer: It’s better than nothing, but it's not an especially powerful deterrent.
MORE: Best Antivirus Software and Apps
Here’s how the study worked: Researchers gathered 1,264 participants, some on their Maryland campuses and some online. The participants then watched videos of users unlocking Android phones from a variety of different angles, with a variety of different input methods. Researchers showed videos of six-point (and shorter) pattern locks, both with and without feedback lines. They also demonstrated 4- and 6-digit PINs.
While you can read the paper for an exhaustive breakdown of the data, the bottom line was clear: Pattern locks, especially with feedback lines enabled, are extremely memorable to a casual observer.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Having seen a pattern once, study participants could replicate it accurately about 64 percent of the time. That number spiked to 80 percent after a second observation. A 6-point PIN, however, prevented about 89 percent of attacks after a single viewing, and almost 73 percent after a second viewing.
To be fair, neither method of screen locking actually puts your phone at risk. Both protect it considerably better than not having a lock screen. However, it’s not hard to see how “shoulder surfing” could be a simple way to hijack a phone in a public place.
Imagine a crowded bar or concert, where watching a stranger’s phone screen would be simplicity itself, and lifting it out of a pocket would be only marginally more difficult. While you’d still need a password to an Apple or a Google account to fully compromise a phone, getting past the lock screen would be a strong place to start.
Ultimately, how you protect your phone is up to you, and knowing your screen-lock pattern won’t do an attacker much good unless her or she can also steal your phone. Still, an extra precaution never hurt anyone, and six numbers are pretty easy to remember — unless you’re a shoulder-surfer, apparently.
Marshall Honorof is a senior editor for Tom's Guide, overseeing the site's coverage of gaming hardware and software. He comes from a science writing background, having studied paleomammalogy, biological anthropology, and the history of science and technology. After hours, you can find him practicing taekwondo or doing deep dives on classic sci-fi.