Android: pattern security lock vs. 4 characters PIN from a security side The android patern lock or gesture lock as i call it is vulnerable to attack as mentioned by Anthony Miracle but the lock can also be very easily removed on rooted devices. It is viable that if the attacker had access to the phojne they could root the device and remove the lock to gain entry. I believe the lock could also be vulnerable to a cracking attack vector by hashing the key file with representing gestures into a list and matching against it.
You may want to check out my blog post about it here http://sud0x3.net/2010/03/remove-the-gesture-lock-on-the-android/ > From: [email protected] > Subject: Pauldotcom Digest, Vol 24, Issue 14 > To: [email protected] > Date: Thu, 16 Sep 2010 12:00:02 +0000 > > Send Pauldotcom mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Pauldotcom digest..." > > > Thank you for subscribing to the PaulDotCom Mailing list digest. Please > visit our site, http://pauldotcom.com, for more hacking entertainment. > > Today's Topics: > > 1. Re: Office password recovery/removal (k41zen Me) > 2. Re: Android: pattern security lock vs. 4 characters PIN from > a security side (Anthony Miracle) > 3. What am I missing? (k41zen Me) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 15 Sep 2010 15:46:45 +0100 > From: k41zen Me <[email protected]> > Subject: Re: [Pauldotcom] Office password recovery/removal > To: PaulDotCom Security Weekly Mailing List > <[email protected]> > Message-ID: <[email protected]> > Content-Type: text/plain; charset=us-ascii > > So went with the recommended app from Elcomsoft and it did a great job. Took > less than a second to > obtain the users .pst password. > > Thanks to everyone. > > > On 11 Sep 2010, at 17:50, Tyler Robinson wrote: > > > I will second elcomsoft had good results with them. > > > > > All, > > > > > > Can you recommend any good Office password recovery/removal apps for > > > Windows and Linux? My immediate requirement is to either recover or > > > remove one from an Outlook 2003 .pst file. > > > > > > Grateful for suggestions. > > > > > > k41zen > > > Super Hero Squad > > > _______________________________________________ > > > Pauldotcom mailing list > > > [email protected] > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > > Main Web Site: http://pauldotcom.com > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > > > ------------------------------ > > Message: 2 > Date: Wed, 15 Sep 2010 10:44:55 -0400 > From: Anthony Miracle <[email protected]> > Subject: Re: [Pauldotcom] Android: pattern security lock vs. 4 > characters PIN from a security side > To: PaulDotCom Security Weekly Mailing List > <[email protected]> > Message-ID: > <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > As others have mentioned, it's often easy to figure it out from the marks > left on the screen if you don't clean it often. > > Additionally, as a small experiment, I set a fairly complicated pattern and > asked a co-worker to watch me quickly enter it once. He was able to > duplicate the pattern on his first try. I did not have it set to display the > pattern, he was just watching my finger. In my opinion, it's just easier to > observe and memorize a pattern than it is to observe and memorize several > rapidly typed numbers on these phones. > > --- > Anthony Miracle (sequel7) > > > > On Tue, Sep 14, 2010 at 14:27, Sven Aluoor <[email protected]> wrote: > > > Hi folks > > > > Is "pattern security lock" more secure than a strong 4 characters PIN > > (I used it on iPhone)? Is the Android implementation vulnerable? > > > > cheers Sven > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100915/9c940aa2/attachment.html > > > ------------------------------ > > Message: 3 > Date: Wed, 15 Sep 2010 18:29:23 +0100 > From: k41zen Me <[email protected]> > Subject: [Pauldotcom] What am I missing? > To: PaulDotCom Security Weekly Mailing List > <[email protected]> > Message-ID: <[email protected]> > Content-Type: text/plain; charset=us-ascii > > So I'm in the UK. I've got tonnes of RSS feeds and am on a few very > informative mailing lists - heck I even > jump in and out of Twitter every now and again to try to keep up-to-date. > > Imagine my surprise (Vorstedt voice from Leathal Weapon 2) then when I was > driving to work listening > to the latest PDC when it mentions UpSpolit. Here is an awesome service > set-up and supported by numerous English > blokes and a US podcast is introducing it to me! I'm sitting there on the M25 > thinking how the hell > did I miss that? Was it a closely kept secret? > > So what did I miss? What am I not reading? What am I not listening to? What > tweets am I not being...erm...twatted with? > > k41zen > > > ------------------------------ > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > > End of Pauldotcom Digest, Vol 24, Issue 14 > ******************************************
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
