Android lockscreen series
- Tricking the Biometric Sensor on a Android Phone
- Android PIN Code Analysis
- Android Lock Screen Pattern Analysis
Patterns
The graphical pattern for unlocking an android device works by showing a 3x3 grid of nodes for the user. The user then draws a pattern between 4 to 9 of said nodes which then represents the users unlock code. In total it is possible to draw 389,112 different patterns to act as the users unlock code, and the minimum amount, using only 4 nodes, is 1624 combinations. However this large number of combinations is only the theoretical number of combinations. Studies con- ducted in 2013 and 2015 has shown a high bias in the commonly created patterns.[1][2]These studies of the android graphical pattern shows that the average number of nodes used when a user creates a pattern is 5.40 nodes. It shows that on average 44% of patterns start from the top left node, and 77% of patterns start from one of the 4 corners.[2]
Android supports the use of a external mouse connected to the device.[3] Using the same method described in section 4.1.2, it is possible to use a device that will emulate ad HID mouse which can then be used to test many different pattern combinations. Research on the graphical pattern shows that on average there are between 7152(5 nodes) and 26,016(6 nodes) different combi- nations of patterns, but also that 39% of patterns are using 4 nodes which presents only 1624 possible patterns. The same rules for device timeout still applies for the android graphical pat- tern meaning that using the same formula as in the Android PIN Code analysis article, it would statistically take ≈ 2.7 hours to identify 39% of patterns and in total between ≈ 11.9 − 43.4 hours on average to identify the pattern with a brute-force attack on a stock android device.[2]
Optimization
Using the statistics that show which nodes are most frequently used in the pattern selection pro- cess, such as 44% of patterns starting from the top left node, or 77% from one of the 4 corners, it is possible to create a list of patterns that have a statistically higher chance to be present on the device. This list can then be used in the same method as in the Android PIN Code analysis article, to perform a dictionary attack against the android device. This has a statistically higher chance to identify the pattern on the device and to reduce the time until the attack terminates.
For this project a list of all possible lock screen patterns has been created. This list has been sorted and optimized in order of patterns that are the most statistically likely to be present on a device. The basis for the statistics used to compile and sort this list is Martin Dybevik Løge’s research on unlock patterns.[2]
To compile and optimize the pattern list 4 different guidelines were used:
- 44% of patterns start at node 1.
- 73% of patterns start at node 1, 3 or 7.
- 65% of patterns have a length of 4 or 5 nodes.
- Pattern start locations ordered by rank: [1, 3, 7, 2, 4, 5, 9, 7, 6.]
Following these guidelines and using the model in Figure 1, a script was written in python. The algorithm in Algorithm 1 takes a list of all possible pattern combinations as input, and outputs the full list in its sorted and optimized form.
Algorithm 1
1PatternList ← All pattern combinations
2Start_location ← [1,3,7,2,4,5,9,7,6]
3
4function SORT_BY_START(PatternList, Start_location)
5 Sorted_Dictionary
6 for Start in Start_location do
7 Patterns
8 for Pattern in PatternList do
9 if First number of Pattern = Start then
10 Patterns ← Pattern
11 Patterns ← Patterns(sorted by lenght)
12 Sorted_Dictionary ← Patterns
13 return Sorted_Dictionary
14
15function PROCESS DICTIONARY(PatternList, Start location)
16 Sorted Dictionary ← Sort By Start(PatternList, Start location)
17 Final_List
18 for Key in Sorted Dictionary do
19 for Pattern in Sorted Dictionary[Key] do
20 Final List ← Pattern
21 Final List ← Final List(Sorted by Length)
22 return Final_List
23
24Process Dictionary(PatternList, Start location)
25
Which converted into actual code looks like:
1def sorting(inp, start):
2 sorted_dict = {} # Big sorted dict of patterns by start location
3 for loc in start: # For every start location
4 f = open(inp, "r+")
5 print(loc)
6 patterns = [] # List of patterns for for start location
7 for line in f:
8 if list(line)[0] == loc: # If line starts at [start location]
9 patterns.append(line)
10 patterns = sorted(patterns, key=len) # Sort by size
11 sorted_dict[loc] = patterns
12 return sorted_dict
13
14def dict_processing(inp, start):
15 w = open("output", "a+")
16 sorted_dict = sorting(inp, start)
17 big_list = [] # Huge list of patterns
18 for key in sorted_dict:
19 for item in sorted_dict[key]:
20 big_list.append(item)
21 list_len_sort = sorted(big_list, key=len) # Sort by length
22 for pattern in list_len_sort:
23 w.write(pattern)
24
25# Start locations in order of most to least frequent
26# 1, 3 and 7 constitutes 73% of patterns
27# 44% of patterns start at 1
28start = ['1', '3', '7', '2', '4', '5', '9', '7', '6']
29dict_processing("full_pattern_list.txt", start)
30
The complete, sorted, and optimized lists are available at: https://github.com/emmeix/OptimizedUnlockPatternList together with small, medium and full size versions. In addition, individual node and part versions are available.
References
- [1] S. Uellenbeck et al. Quantifying the security of graphical passwords: The case of android unlock patterns. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 161–172, 2013.
- [2] M. D. Løge. Tell me who you are and i will tell you your unlock pattern. Master’s thesis, NTNU, 2015.
- [3] Android Open Source Project. Input. https://source.android.com/devices/input, 2020. Accessed: 2021-02-17.