Reverse Smudge Engineering Foils Android Security

[HardOCP News]

Reverse smudge engineering? Really Google? Security defeated by smudge tracing?

Google's mobile operating system lets people unlock devices by swiping a particular pattern across a three-by-three grid of dots. But Android evangelist Tim Bray raised a concern about "reverse smudge engineering" to figure out the unlock pattern.

 

[Thug Esquire]

Lmao, it's an OPTION. Don't use it if it's not secure enough for you. You can also do a PIN or a password. Having lower-security options is a feature, not a bug.

 

[Term-X]

Yea, I dunno about the flak on this. Finger prints and touch screens will always leave finger prints... it's a given. It's sort of like blaming car manufacturers for drivers not wearing their seat belt.

 

[Azhar]

I've always thought slide-to-unlock wasn't a security feature (I'm talking to you, "Siri can circumvent iPhone security" crowd), but a butt-dial prevention feature. If you want security, put a PIN on your devices and get the FindMyiPhone app and the Android equivalent to remote-lock/wipe your phone if it gets stolen.

 

[NoOther]

Did you guys even read the article? The very first line says:

Eat a lot of potato chips? Then consider avoiding one of the ways Google offers to unlock an Android device.

It is just calling out 'one of the ways'. And there is good reason for it. Some people feel a swipe is more secure because it is a gesture and not just alphanumeric. But even with the smudges, if you use the right kinds of patterns, then the smudge can only tell part of the story. If you backtrack on any of the pattern or go over parts of it, then the person trying to break in will have to figure that out too. But the most simple solution? keep the screen clean, or use special covers to prevent smudging.

 

[sfsuphysics]

Lmao, it's an OPTION. Don't use it if it's not secure enough for you. You can also do a PIN or a password. Having lower-security options is a feature, not a bug.

Same thing can be said with a pin, if there are smudges on the 4 most touched areas (or less for repeat numbers), there a max of 24 possible passwords and bam you're through. Or the old standby, peak over someones shoulder as they're doing it, seriously within 5-6 feet you can tell what their password is by where they push.

 

[CyborgTMT]

I do this daily to ppl at work and no one has yet figured out how I keep unlocking their phones.

 

[Loudspeaker]

End users will always screw up security regardless of the amount of grease on their screen. I'm sure there are many of us here that have already experienced the "My phone just stopped working." line as you see the limit on password tries has been reached and the phone is now on meltdown.

 

[dyzophoria]

Im not sure about this one, I rarely keep the screen dirty IMO, even with just light dirt I usually clean it right away, can't really say this is google's fault. but yeah, i think over the shoulder or a quick look at the screen and someone can memorize what you did easily. but i think that would be the same with someone looking at your phone while entering a 4 pin code. I imagine people getting caught by the wtf reverse smudge technique are people who are really unhygienic about their screens,lol

 

[OregonLAN]

I'm a little OCD, but usually when I lock my phone and set it down, I wipe it off with my t-shirt or pants to remove the smudges. Go ahead and reverse smudge that...

 

[Trepidati0n]

On apple phones...the most often used password is 2 5 8 0. I would have to say I have a 50% success rate trying that on other peoples phones.

 

[sleepeeg3]

There are face lock programs now, if you really care about security.

 

[Trepidati0n]

There are face lock programs now, if you really care about security.

not sure if serious...those are more easily defeated than the keypad.

 

[Aluisious]

duhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh

 

[Kueller]

My Atrix has a finger print scanner. It's even a swipe style sensor, so you're not going to leave a full print for anyone to copy. More phones should have this feature.

 

[Ashbringer]

Putting a security feature on your phone isn't exactly a good idea. Most likely, it'll force people to find a way to wipe the phone, cause all they really care about is the phone itself. Most thieves care little about your personal information, and most of them are too dumb to do anything dangerous. If the phone had no security feature, they would use it as normal and won't seek someone who knows how to reset the phone. This is where it gets good.

If you're really smart you install a tracking program into your phone, which you can remotely activate it. Unless the thief is smart enough to boot into recovery and wipe data/cache, you should be good. Use your home PC to track it, and go to the address the GPS picks up. Get some friends involved and you'll do something that no cop or phone company can do, and that's get your shit back.

 

[Decibel]

Fuck that Ash. My phone can access my email. Which is where the bank sends the password reset. Lock your phone, and track it.

I use Lookout, which can backup, track, alarm and remotely wipe my phone.

My data is worth way more than the phone. What's a used phone go for? Compare that to access to your checking and savings accounts?

 

[Spare-Flair]

There are face lock programs now, if you really care about security.

LOL I can take a picture of my friend with my phone, face the phones together, and it will unlock.

 

[ktk_ace]

lol dumb users

 

[Angry]

The semi better idea is to use a pattern, that even with a smudge, doesnt leave something so obvious like the one pictured in the article.

 

[Monkey God]

Im trying to think of something more obvious.
Failed.

 

[dr.stevil]

lol this is nothing new. I do this to friends with android phones all the time... it pisses them off

 

[Team Obi Juan]

Lmao, it's an OPTION. Don't use it if it's not secure enough for you. You can also do a PIN or a password. Having lower-security options is a feature, not a bug.

But being able to use Siri from the lock screen is a flaw, right?

 

[NoOther]

Putting a security feature on your phone isn't exactly a good idea. Most likely, it'll force people to find a way to wipe the phone, cause all they really care about is the phone itself. Most thieves care little about your personal information, and most of them are too dumb to do anything dangerous. If the phone had no security feature, they would use it as normal and won't seek someone who knows how to reset the phone. This is where it gets good.

If you're really smart you install a tracking program into your phone, which you can remotely activate it. Unless the thief is smart enough to boot into recovery and wipe data/cache, you should be good. Use your home PC to track it, and go to the address the GPS picks up. Get some friends involved and you'll do something that no cop or phone company can do, and that's get your shit back.

Are you serious? No security on a corporate phone then? So just up and let someone take it, get into your mail and get all the information they want. Phones get stolen all the time for their information. Most thieves aren't usually looking ot 'use' your phone. They are looking to steal it and sell it. Or they are looking to steal it, get whatever you have on it off (like personal information and account names/numbers) and then sell it. The more information they have access to, the more potential money they may get out of the deal.

 

[jadams]

For those suggesting pins you will still leave fingerprint marks over the numbers you press.

 

[rflcptr]

For those suggesting pins you will still leave fingerprint marks over the numbers you press.

By the time I'm done tapping and swiping it shouldn't matter.