If you’ve ever seen your friend unlock his or her phone with a pattern lock and thought, “I could hijack that phone,” you were probably right.
A new study suggests that nearby observers can suss out pattern locks on Android phones up to 80 percent of the time, and all they need to do is watch the user input the pattern once or twice. If you want to protect your phone, you’ll need to use a 6-digit PIN instead, which can flummox nearly 90 percent of nosy onlookers.
The information comes from a study entitled “Towards Baselines for Shoulder Surfing on Mobile Authentication,” written by academics at the United States Naval Academy and the University of Maryland.
While their paper isn’t exactly beach reading, its contents are pretty interesting if you’ve ever wondered whether the pretty pattern you use to secure your phone’s home screen is really keeping anything safe. Short answer: It’s better than nothing, but it's not an especially powerful deterrent.
Here’s how the study worked: Researchers gathered 1,264 participants, some on their Maryland campuses and some online. The participants then watched videos of users unlocking Android phones from a variety of different angles, with a variety of different input methods. Researchers showed videos of six-point (and shorter) pattern locks, both with and without feedback lines. They also demonstrated 4- and 6-digit PINs.
While you can read the paper for an exhaustive breakdown of the data, the bottom line was clear: Pattern locks, especially with feedback lines enabled, are extremely memorable to a casual observer.
Having seen a pattern once, study participants could replicate it accurately about 64 percent of the time. That number spiked to 80 percent after a second observation. A 6-point PIN, however, prevented about 89 percent of attacks after a single viewing, and almost 73 percent after a second viewing.
To be fair, neither method of screen locking actually puts your phone at risk. Both protect it considerably better than not having a lock screen. However, it’s not hard to see how “shoulder surfing” could be a simple way to hijack a phone in a public place.
Imagine a crowded bar or concert, where watching a stranger’s phone screen would be simplicity itself, and lifting it out of a pocket would be only marginally more difficult. While you’d still need a password to an Apple or a Google account to fully compromise a phone, getting past the lock screen would be a strong place to start.
Ultimately, how you protect your phone is up to you, and knowing your screen-lock pattern won’t do an attacker much good unless her or she can also steal your phone. Still, an extra precaution never hurt anyone, and six numbers are pretty easy to remember — unless you’re a shoulder-surfer, apparently.