Researchers have done some interesting work about “smudge attacks” on Android phones. All Android phone owners will have guessed that this attack targets the authentication pattern that is used to unlock an Android phone. And all these owners also know that smudge really is dangerous for this authentication technique. I have tried it with a colleague: after picking up my phone, it took him 3 tries to get my combination. Not very good.
After that, I took a little time to examine the smudge left behind. Of course, it depends on environmental parameters: Have I cleaned the screen recently? Am I just stepping out of the shower, or eating fries in a fast food? In most cases, smudge is vividly present, but there is another parameter, which is not covered in the paper: the usage patterns of the phone. Let me take a few examples:
- If I turn on my phone because of an incoming SMS, things can get really bad; I will enter the pattern, leave smudge, and then barely touch the screen to start the messaging application. If I reply, things are better, because I will use the virtual keyboard on the bottom of the screen.
- Games are among the best smudge killers, in particular if interaction is through the touchscreen. After 2 or 3 minutes of play, nothing is left of the smudge.
- Another bad factor of Android phones comes from the keyboard, because it is possible to interact through keys, without touching the screen. For instance, when I browse content, I tend to use the wheel rather than the screen, and the smudge remains. If the phone includes a full keyboard, things are worse, because no virtual keyboard will be used, and it will be tempting to interact through the keyboard in many situations.
So, basically, playing is safer than anything else. Good news for some. Also, if you have a virtual keyboard, it may be interesting to have a part of the pattern action at the bottom of the screen, where key entry will add noise.
The real problem is with the countermeasures. The paper outlines the fact that not all phones are equal in front of smudge attacks, so there may be a way to optimize this. However, it will be hard to get something that works for phones stolen in fast food restaurants.
Interestingly, I have started wiping my phone’s screen in some situations. It works wonders, but it is a stupid gesture, contributing to the proof that this authentication mechanism i just poorly designed.
In the end, Android security could be better with another authentication mechanism, which takes smudge attacks into account. Allowing us to select an application to replace the mechanism will make us even safer, because it would transform a class attack into an attack on an individual phone, leaving the attacker to analyze the smudge specifically for each application.