Android Security Advisory: How To Keep Pattern Lock Secure
Pattern locking your Android can be a convenient way to help keep it secure, even if the phone should fall into the wrong hands. However, while a pattern lock is a whole lot more reliable than a face-based lock, there are still ways to get around it, as discussed in a recent XDA-Developers thread. Luckily, there are a few simple steps you can take to help keep your phone a whole lot safer.
There are multiple methods an attacker could use to try bypassing a pattern lock once he had physical possession of the phone, but all work by modifying the phone’s settings database while the handset is still locked. One way an attacker could do this is by connecting to your phone and running the Android Debug Bridge. So, the first way you can help protect your phone is by disabling USB debugging (or just not enabling it in the first place).
Even if you have debugging enabled, you’re not necessarily insecure; the attacker will still need the permissions to modify the database. Some manufacturers have their phones configured so that just ADB access alone will be sufficient, while the attack requires that you’re phone’s been rooted in other cases; not rooting your phone is the other big step you can take to help keep it safe from prying eyes.
Without root, and especially without USB debugging, you’re safer, but not completely out of the woods. If you have a custom recovery installed, an attacker may be able to boot into that and mount the partition holding the needed data, before modifying it to disable the lock.
In all likelihood, you’ve got a better chance of needing to use one of these attacks to get into your own phone after forgetting the pattern than having some bad guy try to steal all your data, but it can’t hurt to be aware of the vulnerabilities, all the same.