Nowadays many, if not all, smartphones offer, in addition to the traditional password lock protection, a pattern lock one, which is a mix of gestures done by the phone owner joining points on a matrix in order to unlock his phone.
Pattern used in the image is 1 – 2 – 5 – 8 – 7 – 4.
Android devices do store pattern lock data in an unsalted SHA-1 encrypted bytes sequence format, using something similar to this code snippet in order to achieve this:
private static byte[] patternToHash(List pattern) {
if (pattern == null) {
return null;
}
final int patternSize = pattern.size();
byte[] res = new byte[patternSize];
for (int i = 0; i < patternSize; i++) {
LockPatternView.Cell cell = pattern.get(i);
res[i] = (byte) (cell.getRow() * 3 + cell.getColumn());
}
try {
MessageDigest md = MessageDigest.getInstance("SHA-1");
byte[] hash = md.digest(res);
return hash;
} catch (NoSuchAlgorithmException nsa) {
return res;
}
}
This means that, for example, instead of storing directly 125874 it stores an encrypted byte array in a system file called gesture.key located in the /data/system folder. We can read most of this information directly on “The Android Open Source Project” java files.
We know enough to analyze the file system dump we’ve got; it’s not hard to find gesture.key and to explore its content:
There are no difficulties cracking or bypassing this kind of protection an Android-based device; the only real obstacle is that we cannot directly access the /data/system/ folder and gesture.key file except when we are dealing with a rooted device
No comments:
Post a Comment