Users of Android devices can unlock the display by entering a pattern. This function is convenient and thus popular – however, less secure than locking with a PIN. An international research team thus recommends implementing a blocklist on Android devices that prohibits the 100 most popular patterns, which are thus the easiest to guess. Precisely how this needs to be created has been investigated by Philipp Markert from the Horst Görtz Institute for IT Security at Ruhr-Universität Bochum together with colleagues from The George Washington University and the United States Navy.
The team led by Professor Adam Aviv from The George Washington University will be presenting the results at the USENIX Symposium on Usable Privacy and Security, which takes place from 8 to 10 August as a virtual conference. The data is available in advance as a freely accessible preprint.
What the most popular Android patterns look like
"While the four-digit PIN allows users 10,000 different combinations, there can theoretically be 389,112 versions of the Android patterns that are drawn on a three-by-three grid," explains Collins Munyendo, first author of the publication from The George Washington University. "However, users are not making the most of these options." In parts of the world where people read from the top left to the bottom right, patterns in the form of letters – such as a Z, L or W – are particularly popular. Around 49 per cent of all patterns start in the top left; 32.5 per cent end in the bottom right – this makes it easier for attackers to guess a pattern.
Various blocklists put to the test
In the current online study, the research team tested how blocklists of different lengths affect security and usability. They had 1,006 people select a new unlocking pattern. Some of the participants were able to select from all theoretically conceivable possibilities (control group); certain patterns were excluded for the other five groups, whereby five blocklists of different lengths were used. If a user selected a blocklisted pattern, they were shown a warning and had to enter a new pattern.
The researchers had identified in an earlier study which were the most popular Android patterns. The shortest of the five tested blocklists contained the twelve most popular patterns from the previous study, the longest blocklist contained the 581 most popular patterns.
Blocklist with 100 patterns recommended
"The medium-length list with 100 blocklisted patterns is the best compromise between security and usability," summarizes Miles Grant from The George Washington University. With this blocklist, users took an average of 19 seconds to select a non-blocklisted pattern. As a comparison: a pattern was selected in 13 seconds in the control group. Once a pattern had been chosen, the users were able to remember it well: 99.54 per cent correctly remembered the pattern they had set, while the figure was 100 per cent in the control group.
Security increases, even with the shortest blocklist
The researchers also verified to what extent the blocklists affected the security of the patterns. They simulated how easily an attacker could guess the pattern of a stolen mobile phone. Without a blocklist, the chance of success was 23.7 per cent after 30 attempted guesses. With the longest blocklist, it was 2.3 per cent. The recommended list with 100 blocklisted patterns reduced the chances of success to around 7.5 per cent.
"A blocklist with 100 entries would thus already significantly increase security, but require little extra effort from users during setup," summarises Philipp Markert. "The layout with three-by-three grids, which users know and like, would remain unchanged." In contrast to this, other ideas for improving the security of Android patterns included a four-by-four grid or a random arrangement of the grid dots on the display.
The work was supported by the National Science Foundation (grant number 1845300), the State of North Rhine-Westphalia in the context of the research group "Human Centered Systems Security", and the German Research Foundation in the context of the Cluster of Excellence "Cyber Security in the Age of Large-Scale Adversaries", CASA (EXC 2092 - 390781972).
Collins W. Munyendo, Miles Grant, Philipp Markert, Timothy J. Forman, Adam J. Aviv: Using a blocklist to improve the security of user selection of Android patterns, USENIX Symposium on Usable Privacy and Security (SOUPS), 2021, Virtual Conference, Download Preprint
Mobile Security Research Group
Horst Görtz Institute for IT Security
Phone: +49 234 32 28669
General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.