Disclaimer: We sustain our work & review products through paid collaborations.
Insecure Smartphone Sensors: How Phones May Inadvertently Reveal Credentials

Insecure Smartphone Sensors: How Phones May Inadvertently Reveal Credentials


Normally we do everything to keep our smartphones intact: the device is put into a case, the screen is reinforced with a transparent film, and it might even be kept separately in a bag while out and about. We also take countermeasures to protect all the data saved to the phone’s storage too, by locking it with a pattern, a PIN code, a password or our fingerprint.

Smartphone pin insecure sensors

But according to Murphy’s law if something can go wrong, it’ll go wrong: plastic films won’t protect the screen from breaking, and PIN codes may not be as secure as you may think. Especially if an experimental app like the one developed by Singapore’s Nanyang Technical University (NTU) could simply unlock the smartphone by relying on the device’s sensors.

Betrayed by the sensors

In order for the smartphone to be… well, smart, the device is equipped with many sensors like a gyroscope, an accelerometer, a barometer or a magnetometer. These can detect various things from orientation, altitude, external light conditions, and the physical proximity to the human ear in order to lock the screen when calling someone.

So how do PIN codes come into this? According to Dr Shivam Bhasin, a senior research scientist at the NTU, this is because “when you hold your phone and key in the PIN, the way the phone moves when you press 1, 5, or 9, is very different. Likewise, pressing 1 with your right thumb will block more light than if you pressed 9”.

Using this knowledge Dr Bhasin and his team of researchers created an Android app that collected data from six of the smartphone’s sensors, which was then fed into an algorithm that also recorded the relevant sensor recordings.

Soon the algorithm was capable of giving different weightings of importance to each of the sensors, and this information was enough for the researchers to break into phones with a whopping 99.5% accuracy within three tries.

Smartphone pin insecure sensors ntu app
60% off RoboForm for Best Reviews readers
RoboForm logo
Commit to RoboForm using Best Reviews' exclusive discount and enjoy a discount of 60% off the regular price.
/goto/roboform/ Click to show code

This means that if an app working on the same principle as the one created by the NTU’s researchers were to be released, over time it would be able to learn PIN codes – or even passwords – just by simply tracking users’ data entry pattern.

Sensor data: no permission granted

Aside from creating this monstrosity of an app, the study has proved the danger that comes with the smartphone’s physical sensors are extremely vulnerable to hacker attacks, since they inadvertently provide access to apps without requiring permission from the user. In simpler words, by spying on sensor data, a malicious application could easily give away the most valuable of information, such as PIN codes and passwords.

According to Professor Gan Chee Lip, Director of the Temasek Laboratories at NTU, the solution is pretty simple: the phone’s OS should never give apps permission to access information from the phone’s sensors by default. Instead, it should be the users who choose whether they wish to permit the app to access sensor data.Android Smartphone App Permissions

A valuable moral for password managers

This study clearly shows that even the most trusted authentication methods like the PIN code can be compromised and it’s up to users and developers to prevent sensitive data from being stolen. Thankfully, the best password management solution providers have already realized this, and as a matter of fact most of the password managers that we have tested use Google Authenticator, an app that generates a random set of six-digit numbers that expire after a minute, therefore preventing malicious apps from ever guessing what the code is.

Still, password management apps for smartphones do provide the option to replace the default master password with a simpler four-digit PIN code. But now we’ve seen what the NTU’s app is capable of, it’s better to be safe than sorry and either switch to biometric authentication or stick to typing in the good old master password.


Best password managers of 2025

Editors' choice

RoboForm

Editor's rating:
Identifies weak, reused passwords
Future-ready, seamless logins
Easy to use
Budget-friendly
Families

LastPass

Editor's rating:
Logical interface
Automated password categorization
Advanced mobile version
Various two-factor authentication options
Businesses

1Password

Editor's rating:
Keeps your data fully private
Protects against unauthorized access
Protects against unauthorized access
One-time password support
Security features

Keeper

Editor's rating:
Protects against data breaches
Works on all major devices
Budget-friendly
Help when you need it
Personal use

NordPass Personal

Editor's rating:
Keeps data safe and encrypted
Creates strong, unique passwords
Great value at no cost
Affordable premium upgrade
Password sharing

Dashlane

Editor's rating:
Updates weak passwords quickly
Encrypts your online traffic
Easy migration from other tools
Full mobile functionality
Local storage

Enpass

Editor's rating:
Comprehensive password management
No cost on desktops
Full control of your data
Keeps your info fully secure

Discussions

Share your thoughts, ask questions, and connect with other users. Your feedback helps our community make better decisions.

©2012-2025 Best Reviews, a clovio brand – All rights reserved