Digital forensics

Android forensics: Cracking the pattern lock protection

August 19, 2013 by Soufiane Tahiri

In this paper I’ll show you how to find an Android’s user pattern lock. I assume that the technique that I’ll demonstrate can work only on a rooted device. Actually, this article will be based on a problem given on a web-based CTF (Capture the Flag, a computer security competition).

Abstract

Nowadays many, if not all, smartphones offer, in addition to the traditional password lock protection, a pattern lock one, which is a mix of gestures done by the phone owner joining points on a matrix in order to unlock his phone. This “new security approach” lets you avoid any undesired taps on the device and it will be asked to authorize its access. This manipulation seems to be complicated and secure enough, which is totally wrong!

If you have a closer look at what a pattern lock actually is and how it works, you can easily conclude that it’s no more than a 3×3 matrix with some built-in conditions: The pattern drawn by the user must contain at last four points and each point can only be used once; since it’s a 3×3 matrix, the maximum of points a lock pattern can contain is nine.

Studying pattern scheme

The 3×3 points of the pattern lock can be represented by numbers (digits); in fact, the points are registered in order starting 0 to 8 (top left corner is 0 and ending by 8):

So the pattern used in the image above is 1 – 2 – 5 – 8 – 7 – 4.

Statistically, it’s not a very big deal having all combination between 0123 and 876543210, its not even 0.2% of all possible nine-digit numbers and we should have about 895824 pattern scheme possibilities available in an Android device.

Android devices do store pattern lock data in an unsalted SHA-1 encrypted bytes sequence format, using something similar to this code snippet in order to achieve this:

[plain]
private static byte[] patternToHash(List pattern) {
if (pattern == null) {
return null;
}

final int patternSize = pattern.size();
byte[] res = new byte[patternSize];
for (int i = 0; i < patternSize; i++) {
LockPatternView.Cell cell = pattern.get(i);
res[i] = (byte) (cell.getRow() * 3 + cell.getColumn());
}
try {
MessageDigest md = MessageDigest.getInstance(“SHA-1”);
byte[] hash = md.digest(res);
return hash;
} catch (NoSuchAlgorithmException nsa) {
return res;
}
}
[/plain]

This means that, for example, instead of storing directly 125874 it stores an encrypted byte array in a system file called gesture.key located in the /data/system folder. We can read most of this information directly on “The Android Open Source Project” java files

* Generate an SHA-1 hash for the pattern. Not the most secure, but it is
* at least a second level of protection. First level is that the file
* is in a location only readable by the system process.
* @param pattern the gesture pattern.
* @return the hash of the pattern in a byte array.

According to this piece of code, our sample pattern should be saved as 6c1d006e3e146d4ee8af5981b8d84e1fe9e38b6c

The only little problem facing us now is that SHA-1 is a one-way cryptographic hash function, meaning that we cannot get the plain text from the hashed one. Due to fact that we have very finite possible pattern combinations and the other fact that Android OS does not use a salted hash, it does not take a lot to generate a dictionary containing all possible hashes of sequences from 0123 to 876543210.

Problem solving

We know enough to analyze the file system dump we’ve got; it’s not hard to find gesture.key and to explore its content:

You can open it using any text or hexadecimal editor:

The last thing to do right now is to compare the bytes of this file, 2C3422D33FB9DD9CDE87657408E48F4E635713CB, with values in the previously generated dictionary to find the hash that recovers the pattern scheme.

A previously made dictionary can be downloaded in the reference section and, using any SQLite browser, you can easily find the original pattern scheme: Select * from RainbowTable where hash = “2c3422d33fb9dd9cde87657408e48f4e635713cb”.

Which means that this is the pattern that unlocks the “wife’s device”:

Conclusion

There are no difficulties cracking or bypassing this kind of protection an Android-based device; the only real obstacle is that we cannot directly access the /data/system/ folder and gesture.key file except when we are dealing with a rooted device. This is done for fun and curiosity purpose since, if you have full access to a mobile, you can just remove or replace the file containing the SHA-1 hash with a prepared one; in addition to this, in most cases lock files are valueless from an Android forensic point of view.

More complicated techniques could be used if the device is not rooted. We are talking about a physical dump of the memory chip and the use of some special hardware tools like Riff-Box and an JIG-adapter, but this is not our concern for now.

Sources

Posted: August 19, 2013
Articles Author
Soufiane Tahiri
View Profile

Soufiane Tahiri is is an InfoSec Institute contributor and computer security researcher, specializing in reverse code engineering and software security. He is also founder of www.itsecurity.ma and practiced reversing for more then 8 years. Dynamic and very involved, Soufiane is ready to catch any serious opportunity to be part of a workgroup. Contact Soufiane in whatever way works for you: Email: soufianetahiri@gmail.com Twitter: https://twitter.com/i7s3curi7y LinkedIn: http://ma.linkedin.com/in/soufianetahiri Website: http://www.itsecurity.ma

30 responses to “Android forensics: Cracking the pattern lock protection”

  1. ajay says:

    its amazing, i appreciate ur research work, keep it on.

  2. idrcelab says:

    Great resources, thank you. Can publish the password for the dictionary file, sir?

  3. Harpreet says:

    but how can i open that gesture.key file if pattern lock is activated in phone…
    Is there is any software or file explorer to open that directories..???

  4. As said in the article you can open it using any text or hexadecimal editor

  5. Sandeep says:

    SIr, Wt is the password for extract dictionary file?

  6. Sandeep says:

    can u tell me password of dictionary files?

  7. Ángel says:

    Hello

    It is a good paper! But when I try to open the dictionary that contains hashs it ask me for the password. What is the password?

    Thanks

  8. Manideep says:

    Hey man, Nice article.

    sha1 – android – pattern download file is having password?

  9. Swapnil says:

    Hello Sir, please give me a book name which is best tut on reverse Engineering, as i have read 1 or 2 books like “Reversing Secrets of Reverse Engineering” but not get much clear concepts on reversing deeply. pls reply soon.

  10. The password is set on the archive comment, Its “www.marw0rm.com” without quots.

  11. trt says:

    sometimes you can see the paths from tilting the phone into the light, so you can see the fat that stays on the phone from her fingers.

  12. krishna says:

    but for taking the file system dump, the password is required I hope. with out the pattern password how to take the system dump and see the gesturekey. is it there any way.

  13. Chewbacca the Forensicator says:

    How are you getting a physical image from the locked phone? 99% of the time USB debug is OFF. adb shell in FTM mode will show the file system but will not allow access to the gesture.key file on a phone thats not rooted…We could ROOT it but rooting wrecks data. We could side-load an APK / attack the recovery.img then boot to it…but you gotta have the right .img…..ideas?

  14. As said in this article “More complicated techniques could be used if the device is not rooted. We are talking about a physical dump of the memory chip and the use of some special hardware tools like Riff-Box and an JIG-adapter..”

  15. Angel says:

    Hello,

    I have a question. For example I use pattern “5 – 4 – 3 – 1 – 7 – 8 – 0 – 6 – 2” well in RainboTable the hash concur with my gesture.key. Well, I did a script in python, if I probe the example in this article (1 – 2 – 5 – 8 – 7 – 4) it return:
    >>> h = hashlib.sha1(“125874”)
    >>> h.hexdigest()
    ‘6c1d006e3e146d4ee8af5981b8d84e1fe9e38b6c’

    It’s ok. But if I probe my pattern, it return:

    >>> h = hashlib.sha1(“543178062”)
    >>> h.hexdigest()
    ‘e84f6d6e49323cadf30e4516950dc7bc073444f3’

    It is not ok, the correct value is:
    fa5cb9e19ed61a937b4df961a70e77cc3b26bff1 (this value is in my gesture.key and in the RainbowTable)

    Why? I don’t Understand.

  16. I have no idea really !! Butinstead try the java code given in the android open source project to reproduce your hashs:

    try { MessageDigest md = MessageDigest.getInstance(“SHA-1”); byte[] hash = md.digest(res); return hash; } catch (NoSuchAlgorithmException nsa) { return res; }

  17. Angel says:

    I try that code and I get the same hash (e84f6d6e49323cadf30e4516950dc7bc073444f3), as I mentioned up, it is wrong. A online SHA1 hash generator return the same that Java and Python. How I use a ROM based on Cyanogenmod It is possible that it is use other algorithm to generate hash (although the example in this article work for me with SHA1)

    I any case, thank you por this article.

  18. Great Article ! but i still can’t find /data/system on my Galaxy young phone

  19. samuel says:

    hey sir from where to open thatdialogue box in mobile

  20. kishan says:

    please tell me what to do with the code..i am a complete newbie…..where should i execute the code?

  21. Yugan says:

    Hi there,

    I owned a Galaxy Nexus running Jelly Bean 4.2.1 version, yakjuxw (Not rooted), GSM. I activated the Pattern Lock to prevent the kids at my relatives house messing my phone. Unfortunately, I forgot the pattern and the phone stays locked out. I have tried the pattern combinations for days but failed.

    I have tried to key in my Gmail account username/password but since my phone is wifi/data switched off, I cant sign in. Moreover, I am not sure whether the USB Debugging is enabled.

    I have tried some ‘hole’ methods recommended at some forums, but it didnt work on my phone.I hope to get access to my messages/images/some files and transfer them to my pc before reset the phone to factory setting. Please help! 😐

    I tried the adb method, however when I type , it returns . What should I do? Please help. I used Mint (linux) live session to use the terminal.

  22. suheb malik says:

    i have forgot my pattern lock and phone asking username and password ..and i have forgot also username and password..so please help
    me and guide me…what i do….

  23. Muhammad Haji says:

    sufiyan sir realy your a Genus in security codes I am impressed to your big knowledge.

  24. Miguel Enriquez says:

    Hi Soufiane TAHIRI, i followed your article, and no problem….
    easy to follow.

    but only work for 3×3 paterrns… i try with a 4×4 pattern

    gesture.key 3×3 pattern the size is 20kb
    but gesture.key pattern the size is 0kb

    any comment? how to hack a pattern different to 3×3 ?

    in the web not exist information about….

    here other way (not tested)

    http://uberskill.blogspot.mx/2012/08/cracking-android-gesture-patterns.html?showComment=1385956128052#c2216357080781021560

    Thanks

  25. Great Work Sir,It’s really fascinating…

  26. shameel says:

    hello sir i cant find gesture key in my galaxy Y??

  27. ROHON DEBROY says:

    DO I HAVE TO USE A SOFTWARE TO FIND THE GESTURE.KEY FILE ?

    IF YES THEN HOW OR IF KNOW TELL ME THE LOCATION

  28. guruprasath says:

    Sir ,

    I can’t find the gesture.key on my SAMSUNG Galaxy S Duos . Could you please guide me to the Location with its path .

    Thanks in Advance

    Guruprasath C

Leave a Reply

Your email address will not be published. Required fields are marked *