Cracking Android Pattern Lock in Five Attempts

Pattern lock is widely used as a mechanism for authentication and authorization on Android devices. In this paper, we demonstrate a novel video-based attack to reconstruct Android lock patterns from video footage filmed using a mobile phone camera. Unlike prior attacks on pattern lock, our approach does not require the video to capture any content displayed on the screen. Instead, we employ a computer vision algorithm to track the fingertip movements to infer the pattern. Using the geometry information extracted from the tracked fingertip motions, our approach is able to accurately identify a small number of (often one) candidate patterns to be tested by an adversary. We thoroughly evaluated our approach using 120 unique patterns collected from 215 independent users, by applying it to reconstruct patterns from video footage filmed using smartphone cameras. Experimental results show that our approach can break over 95% of the patterns in five attempts before the device is automatically locked by the Android system. We discovered that, in contrast to many people s belief, complex patterns do not offer stronger protection under our attacking scenarios. This is demonstrated by the fact that we are able to break all but one complex patterns (with a 97.5% success rate) as opposed to 60% of the simple patterns in the first attempt. Since our threat model is common in day-to-day lives, our workr calls for the community to revisit the risks of using Android pattern lock to protect sensitive information

Continuous implicit authentication for mobile devices based on adaptive neuro-fuzzy inference system

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.As mobile devices have become indispensable in modern life, mobile security is becoming much more important. Traditional password or PIN-like point-of-entry security measures score low on usability and are vulnerable to brute force and other types of attacks. In order to improve mobile security, an adaptive neuro-fuzzy inference system(ANFIS)-based implicit authentication system is proposed in this paper to provide authentication in a continuous and transparent manner. To illustrate the applicability and capability of ANFIS in our implicit authentication system, experiments were conducted on behavioural data collected for up to 12 weeks from different Android users. The ability of the ANFIS-based system to detect an adversary is also tested with scenarios involving an attacker with varying levels of knowledge. The results demonstrate that ANFIS is a feasible and efficient approach for implicit authentication with an average of 95% user recognition rate. Moreover, the use of ANFIS-based system for implicit authentication significantly reduces manual tuning and configuration tasks due to its self-learning capability

GazeLockPatterns: Comparing Authentication Using Gaze and Touch for Entering Lock Patterns

In this work, we present a comparison between Android’s lock patterns for mobile devices (TouchLockPatterns) and an implementation of lock patterns that uses gaze input (GazeLockPatterns). We report on results of a between subjects study (N=40) to show that for the same layout of authentication interface, people employ comparable strategies for pattern composition. We discuss the pros and cons of adapting lock patterns to gaze-based user interfaces. We conclude by opportunities for future work, such as using data collected during authentication for calibrating eye trackers

Touchless Typing using Head Movement-based Gestures

Physical contact-based typing interfaces are not suitable for people with upper limb disabilities such as Quadriplegia. This paper, thus, proposes a touch-less typing interface that makes use of an on-screen QWERTY keyboard and a front-facing smartphone camera mounted on a stand. The keys of the keyboard are grouped into nine color-coded clusters. Users pointed to the letters that they wanted to type just by moving their head. The head movements of the users are recorded by the camera. The recorded gestures are then translated into a cluster sequence. The translation module is implemented using CNN-RNN, Conv3D, and a modified GRU based model that uses pre-trained embedding rich in head pose features. The performances of these models were evaluated under four different scenarios on a dataset of 2234 video sequences collected from 22 users. The modified GRU-based model outperforms the standard CNN-RNN and Conv3D models for three of the four scenarios. The results are encouraging and suggest promising directions for future research.Comment: *The two lead authors contributed equally. The dataset and code are available upon request. Please contact the last autho

Recent advances in mobile touch screen security authentication methods: a systematic literature review

The security of the smartphone touch screen has attracted considerable attention from academics as well as industry and security experts. The maximum security of the mobile phone touch screen is necessary to protect the user’s stored information in the event of loss. Previous reviews in this research domain have focused primarily on biometrics and graphical passwords while leaving out PIN, gesture/pattern and others. In this paper, we present a comprehensive literature review of the recent advances made in mobile touch screen authentication techniques covering PIN, pattern/gesture, biometrics, graphical password and others. A new comprehensive taxonomy of the various multiple class authentication techniques is presented in order to expand the existing taxonomies on single class authentication techniques. The review reveals that the most recent studies that propose new techniques for providing maximum security to smartphone touch screen reveal multi-objective optimization problems. In addition, open research problems and promising future research directions are presented in the paper. Expert researchers can benefit from the review by gaining new insights into touch screen cyber security, and novice researchers may use this paper as a starting point of their inquir

Risk estimation for a secure and usable user authentication mechanism for mobile passenger ID devices

User Authentication in mobile devices acts as a first line of defense verifying the user's identity to allow access to the resources of a device and typically was based on “something the user knows”, known also as knowledge-based user authentication for several decades. However, recent studies point out that although knowledge-based user authentication has been the most popular for authenticating an individual, nowadays it is no more considered secure and convenient for the mobile user as it is imposing several limitations in terms of security and usability. These limitations stress the need for the development and implementation of more secure and usable user authentication methods. Toward this direction, user authentication based on the “something the user is” has caught the attention. This category includes authentication methods which make use of human physical characteristics (also referred to as physiological biometrics), or involuntary actions (also referred to as behavioral biometrics). In particular, risk-based user authentication based on behavioral biometrics appears to have the potential to increase the reliability of authentication without sacrificing usability. In this context, we focus on the estimation of the risk score, in a continuous mode, of the risk-based user authentication mechanism that we have proposed in our previous work for mobile passenger identification (ID) devices for land/sea border control

Descubrimiento automatizado de patrones de acceso en dispositivos móviles Android

La protección de dispositivos móviles Android mediante un patrón de acceso plantea dificultades para la extracción y análisis de evidencia digital. Las aplicaciones disponibles para tareas de informática forense ofrecen prestaciones limitadas cuando el dispositivo móvil se encuentra bloqueado con este mecanismo de seguridad. A diferencia del sistema operativo iOS, la protección de un dispositivo móvil Android mediante patrón de acceso mantiene un tiempo constante de penalidad en caso de que se efectúen intentos fallidos y en muchos casos no exige el ingreso de un segundo factor de autenticación. La implementación de una solución de bajo costo utilizando el hardware Arduino Leonardo ha permitido realizar una automatización del proceso de descubrimiento de patrones de acceso desconocidos en dispositivos móviles con sistema operativo Android. El software combina técnicas de ataque por diccionario y por fuerza bruta, procurando el acceso al dispositivo en tiempos que resultan aceptables para la investigación penal. El código desarrollado permite que sea adaptado mediante parámetros para su aplicación sobre dispositivos móviles que estén bloqueados a través de la protección por patrón de acceso ofrecida por el sistema operativo Android.Sociedad Argentina de Informática e Investigación Operativ