• General
  • Pattern lock considered insecure but swipe lock or none lock allowed

Hi,
Does anyone know why Graphene OS doesn't allow pattern lock because they considere it less secure but at the same time they allow us to lock by swipe or even none lock which are fully unsecured ?
If your answer is "fake feeling of security", why don't they just launch a pop up with a warning text about security if we choose pattern lock ?
We are grown up people, not children. Plus people using Graphene OS are advertised people, I think. We do things knowing consequences better than others, I think.
It makes non sense to me.
Best regards,
xNRjTFZc

    Hi! I think you answered your own question there. ^_^

    Swipe unlock isn't really a lock at all, but the absence of that. There's nothing vague about that.

    Pattern unlock is not secure but it does give people a false sense of security, and it shouldn't be encouraged.

    While having swipe is sometimes desirable (such as when spinning up a quick profile to try something out that will later be deleted), there is no reasonable case where Pattern unlock should be preferred over a PIN/Password.

    Well, about "there is no reasonable case where Pattern unlock should be preferred over a PIN/Password" in my personnal case I was able to unlock my phone without looking it. That's what I like pattern.
    And talking about security, I'm pretty sure that my actual 4 digit PIN is less secure than my 8 points pattern lock (pattern hidden).
    But that's not my point, as you noticed, I answered the reason GOS disallowed it and I don't understand why the choice is not let to the customer (with a security pop up, no problem it's their business). We are not child and pretty adviced here I think. My philosophy is "explain to me, i'll choose".
    Moreover, "old customer" could keep pattern lock if understood, that's unfair.
    Thanks for your answer

    • Neo replied to this.

      xNRjTFZc
      It may seem that it's more secure, but according to a research paper I've read, it's not. I can't find the specific paper, but these Wired articles should get you started:
      https://www.wired.com/story/android-unlock-pattern-or-pin/
      https://www.wired.co.uk/article/phone-lock-screen-password

      If you read through these, you will understand why it is not an option. GrapheneOS is not for security theater, so of course to have elements that are not truly secure, but present themselves as such, is against the purpose of GrapheneOS.
      If you still feel that pattern-unlock is the best for your use-case, your use-case probably doesn't require GrapheneOS and something like ProtonAOSP or LineageOS would be better :)

        Thanks for your advice.
        Well I knew LineageOS that i used to use because I'm intereated in privacy for may be 8 years now. After I used Calyx because i'm also interested in security. When i installed Calyx, i could use Graphene but at this time the compatibility with GServices was rubbish. I was happy with Calyx (hope not to be ban to say this here) Then I heard (by Graphene) that MicroG has security issues and that they finally sandboxed Gservices. So I switch to Graphene. Except this problem of lock screen by pattern, I'm happy with Graphene. Apps are slower to open on Graphene than on Calyx but i accept it because it's for a security purpose.
        I didn't now ProtonASOP (is there a link with protonmail that i use ?). It seems they use microG.

        I'm not an expert at all but i know how to get to aim.
        When i installed Calyx i simply type "android OS privacy", read some articles, note that for every day use and privacy, Calyx was the best. After i heard about security, i wait that Graphene raise up their level of everyday use and switch to them.
        Today, I'm pretty happy with Graphene which answer to my preoccupations : Everyday use, privacy, security. It just lack freedom. Freedom to adjust your security level.
        If you know an OS answering all this points, I would be happy.
        Best regards

          xNRjTFZc "I didn't now ProtonASOP (is there a link with protonmail that i use ?)."

          No connection, they are completely separate entities.

          First of all, I have not used a pattern unlock since Android KitKat. But unless there exist better arguments than the ones shared by Neo, I agree with xNRjTFZc that this feels a bit arbitrary. There is no mention at all in those references that a 8 point pattern unlock (with hidden pattern) is less secure than a 4 digit pin. In the same articles it is even mention that most of the times there is no significant gain going from 4 to 6 digit pin because people tend to use years, and patters, etc.

          Would it be okay to enable pattern unlock while forcing the hidden pattern option?

          I'm reading the original paper, 4-digit PIN is exactly the same than 6 points pattern (pattern hidden)...
          By the way, with PIN iit's not possible to disable the number on which you cmivk lighting...

            xNRjTFZc Apps are slower to open on Graphene than on Calyx but i accept it because it's for a security purpose.

            Just so you know, you can go to Settings > Security and disable "Secure Exec Spawning" if you'd like. It's an optional feature, but I would strongly urge you to keep it enabled because of the additional security (and privacy) it offers.

            xNRjTFZc Well, you can enable pin scrambling, which I would say is as effective as pattern hidden for those kind of "sly glance" attacks.

            By the way, this is the original paper, in case someone is interested.