TMGuard: A Touch Movement-Based Security Mechanism for Screen Unlock Patterns on Smartphones

  • Weizhi MengEmail author
  • Wenjuan Li
  • Duncan S. Wong
  • Jianying Zhou
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9696)


Secure user authentication is a big challenge for smartphone security. To overcome the drawbacks of knowledge-based method, various graphical passwords have been proposed to enhance user authentication on smartphones. Android unlock patterns are one of the Android OS features aiming to authenticate users based on graphical patterns. However, recent studies have shown that attackers can easily compromise this unlock mechanism (i.e., by means of smudge attacks). We advocate that some additional mechanisms should be added to improve the security of unlock patterns. In this paper, we first show that users would perform a touch movement differently when interacting with the touchscreen and that users would perform somewhat stably for the same pattern after several trials. We then develop a touch movement-based security mechanism, called TMGuard, to enhance the authentication security of Android unlock patterns by verifying users’ touch movement during pattern input. In the evaluation, our user study with 75 participants demonstrate that TMGuard can positively improve the security of Android unlock patterns without compromising its usability.


Mobile security User authentication Android unlock patterns Usability Touch gestures Behavioral biometric 



We would like to thank all participants for their hard work and collaboration in the user studies such as data collection, and thank all anonymous reviewers for their helpful comments.


  1. 1.
    Andriotis, P., Tryfonas, T., Oikonomou, G., Yildiz, C.: A pilot study on the security of pattern screen-lock methods, soft side channel attacks. In: Proceedings of WiSec, pp. 1–6. ACM (2013)Google Scholar
  2. 2.
    Aviv, A.J., Gibson, K., Mossop, E., Blaze, M., Smith, J.M.: Smudge attacks on smartphone touch screens. In: Proceedings of the 4th USENIX Conference on Offensive Technologies, pp. 1–7. USENIX Association (2010)Google Scholar
  3. 3.
    Churchill , B.:Unlock Pattern Generator (2013).
  4. 4.
    Bergadano, F., Gunetti, D., Picardi, C.: User authentication through keystroke dynamics. ACM Trans. Inf. Syst. Secur. 5(4), 367–397 (2002)CrossRefGoogle Scholar
  5. 5.
    Bisson, D.: The state of security-Authentication and awareness: the anti-cybercrime duo, 30 October 2014.
  6. 6.
    Brown, A.S., Bracken, E., Zoccoli, S., Douglas, K.: Generating and remembering passwords. Appl. Cogn. Psychol. 18, 641–651 (2004)CrossRefGoogle Scholar
  7. 7.
    Conti, M., Zachia-Zlatea, I., Crispo, B.: Mind how you answer me! (transparently authenticating the user of a smartphone when answering or placing a call). In: Proceedings of the 6th ASIACCS, pp. 249–259 (2011)Google Scholar
  8. 8.
    De Luca, A., Hang, A., Brudy, F., Lindner, C., Hussmann, H.: Touch me once and i know it’s you!: implicit authentication based on touch screen patterns. In: Proceedings of CHI, pp. 987–996. ACM (2012)Google Scholar
  9. 9.
    Frank, M., Biedert, R., Ma, E., Martinovic, I., Song, D.: Touchalytics: on the applicability of touchscreen input as a behavioral biometric for continuous authentication. IEEE Trans. Inf. Forensics Secur. 8(1), 136–148 (2013)CrossRefGoogle Scholar
  10. 10.
    Giuffrida, C., Majdanik, K., Conti, M., Bos, H.: I sensed it was you: authenticating mobile users with sensor-enhanced keystroke dynamics. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 92–111. Springer, Heidelberg (2014)Google Scholar
  11. 11.
    IDC. Smartphone OS Market Share, Q2 2015, December 2015.
  12. 12.
    Karlson, A.K., Brush, A.B., Schechter, S. Can i borrow your phone?: understanding concerns when sharing mobile phones. In: Proceedings of the 27th CHI, pp. 1647–1650. ACM (2009)Google Scholar
  13. 13.
    Kotthoff, L., Gent, I.P., Miguel, I.: An evaluation of machine learning in algorithm selection for search problems. AI Commun. 25(3), 257–270 (2012)MathSciNetGoogle Scholar
  14. 14.
    Li, L., Zhao, X., Xue, G.: Unobservable re-authentication for smartphones. In: Proceedings of the 20th Annual Network and Distributed System Security Symposium (NDSS), pp. 1–16 (2013)Google Scholar
  15. 15.
    Meng, Y., Wong, D.S., Schlegel, R., Kwok, L.: Touch gestures based biometric authentication scheme for touchscreen mobile phones. In: Kutyłowski, M., Yung, M. (eds.) INSCRYPT 2012. LNCS, vol. 7763, pp. 331–350. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  16. 16.
    Meng, W., Wong, D.S., Kwok, L.F.: The effect of adaptive mechanism on behavioural biometric based mobile phone authentication. Inf. Manag. Comput. Secur. 22(2), 155–166 (2014)Google Scholar
  17. 17.
    Meng, W., Wong, D.S., Furnell, S., Zhou, J.: Surveying the development of biometric user authentication on mobile phones. IEEE Commun. Surv. Tutorials 17(3), 1268–1293 (2015)CrossRefGoogle Scholar
  18. 18.
    Nelson, D.L., Reed, V.S., Walling, J.R.: Pictorial superiority effect. J. Exp. Psychol.: Hum. Learn. Mem. 2(5), 523–528 (1976)Google Scholar
  19. 19.
    Pereira Botelho, B.A., Nakamura, E.T., Uto, N.: Security analysis of touch inputted passwords. In: Lopez, J., Huang, X., Sandhu, R. (eds.) NSS 2013. LNCS, vol. 7873, pp. 714–720. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  20. 20.
    Tao, H., Adams, C.: Pass-go: a proposal to improve the usability of graphical passwords. Int. J. Netw. Secur. 7(2), 273–292 (2008)Google Scholar
  21. 21.
    Van Thanh, D.: Security issues in mobile eCommerce. In: Proceedings of the 11th International Workshop on Database and Expert Systems Applications (DEXA), pp. 412–425 (2000)Google Scholar
  22. 22.
    SplashData Inc, Password unseated by “123456” on SplashData’s annual Worst Passwords list (2013).
  23. 23.
    Uellenbeck, S., Dürmuth, M., Wolf, C., Holz, T.: Quantifying the security ofgraphical passwords: the case of Android unlock patterns. In: Proceedings of the 2013 ACM Conference on Computer and Communications Security (CCS), pp. 161–172 (2013)Google Scholar
  24. 24.
    Webroot. SURVEY: Mobile Threats are Real and Costly (2012).
  25. 25.
    J. White. Cydia Tweak: How To Add An Android-Inspired Pattern Unlock Screen To The iPhone, 26 June 2013.
  26. 26.
    Yan, J., Blackwell, A., Anderson, R., Grant, A.: Password memorability and security: empirical results. IEEE Secur. Priv. 2(5), 25–31 (2004)CrossRefGoogle Scholar
  27. 27.
    Yan, Q., Han, J., Li, Y., Zhou, J., Deng, R.: Designing leakage-resilient passwordentry on touchscreen mobile devices. In: Proceedings of the 8th Asia CCS, pp. 37–48 (2013)Google Scholar
  28. 28.
    Zahid, S., Shahzad, M., Khayam, S.A., Farooq, M.: Identification, keystroke-based user on smart phones. In: Proceedings of RAID, pp. 224–243 (2009)Google Scholar
  29. 29.
    Zhang, Y., Xia, P., Luo, J., Ling, Z., Liu, B., Fu, X.: Fingerprint attack against touch-enabled devices. In: Proceedings of the 2nd ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 57–68 (2012)Google Scholar
  30. 30.
    Zhao, X., Feng, T., Shi, W., Kakadiaris, I.A.: Mobile user authentication using statistical touch dynamics images. IEEE Trans. Inf. Forensics Secur. 9(11), 1780–1789 (2014)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Weizhi Meng
    • 1
    Email author
  • Wenjuan Li
    • 2
  • Duncan S. Wong
    • 3
  • Jianying Zhou
    • 1
  1. 1.Infocomm Security DepartmentInstitute for Infocomm ResearchSingaporeSingapore
  2. 2.Department of Computer ScienceCity University of Hong KongHong KongChina
  3. 3.Applied Science and Technology Research Institute (ASTRI)Hong KongChina

Personalised recommendations