Blog: Android

Don’t use PIN Patterns on Android

Ken Munro 25 Jul 2014

gn1_pattern_recorded

Long PINs on phones are a pain to remember and enter. They’re important though, as so much data on mobiles and tablets is sensitive, whether personal or business related. Passwords, user accounts, email, banking details. If you don’t think this data is important, talk to someone who has had their identity stolen.

 

The PIN is usually the key needed to unlock the encryption that protects the above data. Short PINs can be a waste of time – see our talk about trivial cracking of Android and early iOS encryption when PINs are short.

Android tries to make long PINs easier to enter and remember by allowing you to draw a ‘pattern’ based PIN. Surely this is a good thing, right? I don’t think so, for two important reasons:

Shoulder surfing becomes even easier. The pattern is drawn on the screen and ‘persists’ until the user has entered it. It’s so much easier for the attacker to see a pattern drawn, rather than work out which digits your finger had touched.

PIN patterns destroy entropy. The complexity of a PIN (or password) comes partly from the lack of predictability. In common use however, most people will draw a pattern that is simple to use.

Patterns usually start at the corner of the keypad (so 1,3,7,9) and move to the next adjacent number (after 1, then 2,4 or 5) and so on. So when working out a statistically likely attack against a PIN, the first digit is more likely to be a choice of four digits, not the 10 on the keypad. The second is likely to be a choice of three, not 10.

The next major issue is that, as far as I know, it’s not possible to use the same number twice when drawing PIN patterns on Android. Entropy is reduced still further.

There’s an interesting statistical analysis of this here that shows the number of patterns starting from ANY number with a certain number of digits and can move to any other number on the keypad, not just adjacent numbers. In the case of a four digit PIN, it’s 1,400. If we then assume that most users start on a corner and move to adjacent numbers, the entropy drops to very roughly 600 combinations. That’s a far cry from the 10,000 combinations you can get with a non-pattern PIN. The same article also shows (in the comments) how increasing PIN length with a pattern without number repetitions doesn’t increase entropy at anything like the rate you might expect.

Advice

  1. Jump around – If you must use a pattern, avoid adjacent numbers. ‘Jump’ to distant numbers on the keypad. Make your PIN as long as possible
  2. Ditch the keypad – Some lock screen apps are available that don’t display a keypad, using images instead. You join up areas of the image, which should be harder to shoulder surf and also to predict
  3. Show your face – Use ‘facial unlock’ if you feel lucky, but bear in mind older versions can be unlocked with a photo of the user!
  4. Be complex – Personally, I think long PINs are better than PIN patterns. Yes, they’re harder to work with, but you’ll be using that PIN so often that it will become second nature.
  5. Change it – And while we’re there, don’t forget to change that PIN from time to time. Six digits or more please.