Security in the modern Android ecosystem is pretty good for the most part, but there's a big problem that nobody seems to be able to solve that relates to sensors in your phone that could potentially be used to collect all of the movement data necessary to figure out any password, PIN, or pattern entered into the device. Most of the sensors that can get such data, such as the accelerometer and gyrometer, don't require special permissions for an app to read them like the camera and GPS do. Even more alarmingly, researchers conducted a survey and found people to be largely unaware of these rather grave security risks.
There are 25 such sensors in total, according to the team of security researchers that conducted the study. Since most of those sensors needed little or no permissions for apps to access them, they could, for the most part, be used by just about any app to monitor a user's activity and input. Subtle movements of the accelerometer and gyrometer, for example, could capture touches and typing well enough for researchers to use that data to crack four-digit PIN codes with a roughly 70-percent success rate on the first guess. By the fifth guess, the accuracy rate rose to 100 percent, the study found. The researchers did not test long passwords or lock screen patterns, but the implications here are quite clear; with enough time and data, it could be entirely possible for hackers to crack these sorts of security measures.
This type of data harvesting could be conducted by any app, or even by browser-based exploits, the study reveals. More alarmingly, researchers found that some browser exploits stuck around and monitored the device until the user forcibly closed the app and kicked it out of the device's RAM. With users largely unaware of the security risks or even the functions of most of the 25 sensors that the security team found could compromise user data, developers of malicious apps and exploits essentially have free reign to steal user information at this point. Security professionals have yet to come up with a way to keep this sort of data breach from happening, aside from requesting granular permissions for all sensors, and even that wouldn't help if a user carelessly grants those permissions.