Maybe re-instate pattern unlock?

dpengel3

I'm completely new to GrapheneOS - coming from LineageOS.

Is there any chance of getting the folks who decide such things, to decide to resurrect pattern unlock - but not as a security mechanism?

All the discussions on the topic of pattern unlock appear to be about two years old, but they all seem to center around whether it's a good idea from a "security" point of view.

But I prefer it, and I don't use it for security. I don't even have anything in my phone (except the cost) that would bother me if it were stolen. However, pattern unlock was the perfect balance between convenience and complexity for a problem completely unrelated to security: For some reason, my cell phones seem to have a habit of unlocking--and tapping various things--in my pocket. The pattern unlock combined the convenience of swipe with the protection against pocket-unlock.

How does one go about proposing a feature (and an argument for the feature) to the GrapheneOS team? Has anyone else been using pattern unlock strictly for this reason/purpose?

soupslurpr

dpengel3 it seems you've been using the wrong tool for the job :)

I have also encountered the issue you talk about. You can disable tap to wake in settings. This should fix the problem.

Reason9

dpengel3 I think that you could also use the fingerprint reader as a convenient way to unlock, and also as a pocket prevention mechanism. Its gonna be faster than the pattern too

brookie229

I was a big fan of BB10's pattern unlock system back in the day. Not sure how secure that is in this day and age. Often wondered what the Graphene OS devs would think of that method.

phone-company

brookie229 sorry but i hope not. It's unsecure and graphene is most secure Software on a mobile device i know so far. If you want something like pattern unlock just use lineage or other customroms?!

brookie229

phone-company

Good to know - I think it was considered ok 10-12 years ago but probably not anymore. At the time I believe BlackBerrys BB10 was considered the most secure and their picture password grid unlock method better than any other. Things have obviously changed greatly. I'm good with the fingerprint although I find it a bit flakey on my 6a.

phone-company

brookie229 You can try reading in a finger twice. This works very well for me

SBMe25

Well my Pixel 7 for 2 of my main on my right and my thumb on my left was totally worthless. Why I gave in and got a Pixel 9 finally. It was just so bad and I wanted more RAM as I kept getting a RAM popup on a program and also wanted the better camera. But the fingerprint was a big seller. On the Pixel 9 it is working very well.

poplectic

No offence but I can't understand why someone would want to use GOS and secure it with pattern unlock? Seems like a contradiction to me. I'll easily see your pattern from across the room.
I remember seeing, on some people's phones, the pattern clearly visible in the grease on their screen.

dginovker

poplectic Here's my use-case:

Google pushed an update to Pixel 4a that made the battery life 1/3rd what it used to be
I want a ROM that works
My threat model is "I don't want the police unlocking it"
Pattern is suffice for that. They're not gonna guess my pattern, and "their bodycam footage contains me unlocking my phone" is outside my threat model

I care about security and find Graphene cool, but I care about usability more.

JollyRancher

dginovker My threat model is "I don't want the police unlocking it"

Then you don't want pattern unlock.

GrapheneOS

dginovker

Google pushed an update to Pixel 4a that made the battery life 1/3rd what it used to be

Pixel 4a an insecure end-of-life device without security patches. It's not at all suitable for the threat model you've described. It lacks basic protection against the device being exploited before it can get back to Before First Unlock state via our auto-reboot feature. It also doesn't have the newer generation secure element which forensic companies providing widely used tools to governments (not only for law enforcement) haven't figured out how to exploit.

I want a ROM that works

It's an OS, not a ROM.

Pattern is suffice for that. They're not gonna guess my pattern, and "their bodycam footage contains me unlocking my phone" is outside my threat model

It was removed as an option because it's a much worse variant of a PIN which is not sufficient for this.

I care about security and find Graphene cool, but I care about usability more.

Using an insecure end-of-life device without firmware or driver security patches regardless of OS choice doesn't fit with caring about security. The same goes with using pattern unlock instead of simply using a random 6 digit PIN which is dramatically stronger than any pattern people would use in practice.

raccoondad

Why not just set the password to something very simple or use biometrics? I only type my password maybe once a day, when auto-reboot kicks in.

GrapheneOS

We also have the option to use a 2nd factor PIN with fingerprint unlock so people can use a passphrase for primary unlock and fingerprint+PIN with a random 4 digit PIN for secondary unlock with only the standard 5 attempts allowed. Pattern unlock is a badly designed lock method that's a major downgrade from the security of a PIN for multiple reasons.

DudeSweet

A couple things I feel worthwhile to point out:
Fingerprint is not secure, the police in the US can compel you to put your finger on the screen to unlock your phone.
Fingerprint doesn't always work; dirty fingers, fresh out of the shower and dried, or worn due to working with your hands basically makes it next to impossible to use. Too many frustrating times I've had it fail every attempt and fall back to the PIN.
Not everyone wants to use multiple options together for unlocking.
The argument of seeing a pattern across the room works just as well for PINs, making the argument that PIN is more secure untrue.

Obviously I don't get to dictate/decide things, but I feel like removing unlock options is a disservice to users. It may be well intentioned and practical, but not everyone wants a fully hardened phone. There's plenty about Graphene that's very useful to more casual users looking to take back some control of things without going all the way. Maybe add very clear warnings about the insecurity of using a pattern and let the users decide what they want to do? Just a thought.

GrapheneOS

DudeSweet

Fingerprint is not secure, the police in the US can compel you to put your finger on the screen to unlock your phone.

Fingerprint unlock is not available as a primary unlock mechanism, only secondary unlock for After First Unlock state with a 5 attempt limit (instead of 4 sets of 5 attempts for 20 total) and within a 48 hour timer from the last successful primary unlock. GrapheneOS supports adding a PIN as a 2nd factor to fingerprint unlock for use with a stronger primary unlock method. It's entirely someone's choice to use fingerprint alone instead of with a random 4 digit PIN (or longer, but 4 digits is fine for this purpose due to the 5 attempt limit).

Fingerprint doesn't always work; dirty fingers, fresh out of the shower and dried, or worn due to working with your hands basically makes it next to impossible to use. Too many frustrating times I've had it fail every attempt and fall back to the PIN.

That's fine since it's a secondary unlock method.

Not everyone wants to use multiple options together for unlocking.

They can simply use a random 6 digit PIN.

The argument of seeing a pattern across the room works just as well for PINs, making the argument that PIN is more secure untrue.

PINs have far more possibilities along with the option of PIN scrambling on GrapheneOS. They are much more secure. Patterns are essentially a crippled PIN with limited possibilities and heavily encouraging using a highly insecure setup.

Obviously I don't get to dictate/decide things, but I feel like removing unlock options is a disservice to users. It may be well intentioned and practical, but not everyone wants a fully hardened phone. There's plenty about Graphene that's very useful to more casual users looking to take back some control of things without going all the way. Maybe add very clear warnings about the insecurity of using a pattern and let the users decide what they want to do? Just a thought.

Pattern lock is even more dangerous to people who are as you say more casual users. It is a badly designed and dangerous feature. iPhones not having this is very good for users. We will not add back a major flaw in the OS security design. You don't have to use GrapheneOS. If you do, your choices for primary lock are a PIN or password like iOS. This protects users rather than doing a disservice to them. Let us know when Apple adds the feature. Android added it long before there was a comparable focus on security as there is today and doesn't remove it as an option primarily to avoid making people angry. It would NOT be added by Android today. It is grandfathered in and we did the right thing getting rid of it. It's not grandfathered in to GrapheneOS since it has been gone so long.