Android phones vulnerable to oil smudge attacksMillions of handsets running Google OS at risk

12 August 2010

Android touchscreen grid unlock pattern

Touchscreen Android mobile phone handsets which have user-defined patterns to unlock the screen can be easily hacked via 'smudge attacks' according to research from the University of Pennsylvania.

Rather than the password protection offered by Apple iPhones, Google's Android OS incorporates a graphical 'password' pattern. To unlock the screen after a period of inactivity, users trace a pattern over a grid of nine dots with their finger.

The key to a smudge attack is the thin oily residue left behind by user's finger. The report says: 'Touchscreens are touched, so oily residues, or smudges, remain on the screen as a side effect'.

The researchers found that by taking a photo of an Android mobile's screen where the oily smudge from a finger had left a trace, it was simple to decipher the user-defined unlock pattern. Simple photo-editing software enabled the researchers to increase the contrast of the photo to clearly show the smudge, and then to recreate the pattern on-screen to unlock the phone.

92% success rate for Android smudge attacks

Despite the Android unlocking grid having 389,112 possible patterns, the smudge attack method worked successfully 92% of the time, according to the report. 

The most effective way to avoid falling victim to a smudge attack is to wipe the screen of touchscreen Android phones regularly. Tests found that the smudges were most visible when the phone had been previously held to the user's face during a phone call. They also revealed that merely replacing the phone in a pocket did not sufficiently remove the oily residue to make a smudge attack impossible.

Which? Android expert Al Warman said: 'One of the best features of Android is its ability to seamlessly sync with users' Google accounts. However this means that anyone gaining access to an Android mobile also has made the first vital step towards identity theft.

'Google Mail, all your contacts, your Facebook and Twitter accounts, as well as any websites with passwords saved on the handset will be easy pickings for the smudge attacker.

'If your handset can be updated to Android 2.2, this includes the option to use a traditional alphanumeric password, but if you're stuck with the grid system, be sure to pick a complex pattern and always wipe after use.'

Related links:

How to follow the latest Which? Tech news

Are you a Twitter user? Follow WhichTech on Twitter for regular tech tweets.

Prefer RSS? Don't miss a thing with the Which? tech RSS feed

For just the main headlines in newsletter form, sign-up to our weekly Which? tech email.

Apple iPad 2 3G data plans compared - find the best 3G plan for your iPad
Best Android tablets round-up - we look at the best iPad alternatives around
Best cheap laptops for under £500 - find the best laptop deals