Enhance the Security of Graphical

Password for Mobile Application

Passcode by Using VAP Code
Research Methodology in Computing and Technology
(RMCT)

Student Name: Amni Amira Binti Redzuan

TP Number: TP043736

Intake Code: UC2F1808IT (ISS)

Module Code: CT098-3-2

Module Title: Research Methodology in Computing and Technology (RMCT)

Assessment Title: Research Paper

Assessment Type: Individual work

Submission date: 2 May 2019

Lecturer DR. Siti Sarah Binti Maidin

Contents
1. Introduction...............................................................................................................................................................3
2. Research Background...............................................................................................................................................3
3. Problem Statement....................................................................................................................................................4
4. Aims and Objectives..................................................................................................................................................5
5. Research Questions....................................................................................................................................................5
6. Significance of the work............................................................................................................................................5
7. Methodology...............................................................................................................................................................5
8. Overview of the Proposed System............................................................................................................................6
9. Conclusion..................................................................................................................................................................6
10. References..............................................................................................................................................................6
11. Appendices.............................................................................................................................................................8
RMCT Marking Sheet Student Name: Amni Amira Binti Redzuan Student ID: TP043736.........................10

2
 ENHANCE THE SECURITY OF GRAPHICAL PASSWORD FOR
MOBILE APPLICATION PASSCODE BY USING VAP CODE

Amni Amira Binti Redzuan

Asia Pacific University
amniredzuan@gmail.com

Abstract— Nowadays, millennials spend more times using mobile applications rather than web applications.
With the existing of smartphone, people are using it frequently to open various mobile applications available in
their smartphones especially social media like Whatsapp to communicate globally. However, most of the user do
not secure their mobile applications and being exposed to various type of attacks like shoulder surfing,
intersection attack and other prominent attack. Therefore, in this research paper I am proposing an
enhancement of mobile application passcode.

Index Terms— Authentication, Graphical Password, Security, VAP Code.

1. Introduction

Around 18.4millions of people use smartphones actively in Malaysia. Tablets and smartphones are now essential
tools in assisting users to do their daily task. In order to do so, they use various mobile applications to ease their task.
For that reason, people keep their confidential information, contact details, images and other private data. However,
most of the user do not even take a basic step to protect their mobile application. They should put a passcode for a
specific chosen application before opening the applications. Based on research, 34% of smartphones consumer did not
have a simple code to lock their screen[ CITATION Her14 \l 17417 ]. This leaves the application open to the hackers to
breach the security. In general, there is two ways of user authentication which are common among the consumer. One is
text-based passwords and another one is graphical password. Recent enhancement of mobile graphical password has
been used rapidly due to their ease of use and memorability to remember the pictures better than text. However, any
user authentication methods are vulnerable to the attack such as dictionary attack and brute-force attack. This paper will
discuss further on the enhancement of mobile application passcode which use combination techniques to create VAP
code.

2. Research Background

A review of the available literature provides a wealth of examples of authors advocating the various type of user
authentication scheme. On the one hand, text-based password is the earliest and most popular type of authentication
scheme used by many electronic devices. Text-based password is very popular user authentication in any applications
due to its convenient and usability[ CITATION Niz17 \l 17417 ]. On the other hand, graphical password is another user
authentication that is commonly being used. It is shown that the fact humans can remember images better than textual
[ CITATION Bid11 \l 17417 ]. Graphical passwords are generally useful for tools that do not have keyboards and they
offer the possibility of addressing known weaknesses in text passwords [ CITATION Aya12 \l 17417 ]. Several lines of
evidence have been adduced on both side of user authentication about their usability goals, but few studies directly
address the question: Do the user authentication scheme vulnerable to different kinds of security attacks?

According to [ CITATION Niz17 \l 17417 ], text-based passwords enable the web applications and service
platforms to handle a collaborative information sharing and resource management. In context of usability, text-based
passwords are convenience and suitable to users. This is similar to findings by [ CITATION And16 \l 17417 ] who
reported authentication interfaces must be designed to give benefits to the users’ natural abilities, as well as findings by
[ CITATION AHa09 \l 17417 ] who found that users mostly prefer usability than security. Smartphones owners tend to
choose simple and short passwords which it can easily be broken, while protected passwords are hard to remember.

3
However, [ CITATION Das16 \l 17417 ] argued that authentication impedes usability if security is not considered
central to the efficacy of the system. Due to simple and short password, few cryptanalysts found that various
vulnerabilities of text-based password such as social engineering attack, guessing attack, brute force attack, dictionary
attack and so forth. In addition, this statement has been supported by [ CITATION Niz17 \l 17417 ] who demonstrated
that text-based password memorability issues pose few problems for service providers on platforms where identity
management is a key concern. Application examples emerge in social media, online commerce, and in the management
of critical infrastructure such as smart micro-grids. A further concern is that, a lot of confidential information are being
shared on the mobile application that attract the attackers to launch the inferential attack to the users.

On the contrary, the graphical password scheme is more compatible for the smart devices due to their heavily
graphic-oriented nature. In many psychological studies, it has been observed that human can recall visual images more
effortlessly than text-based schemes. Therefore, it is less likely to be written down[ CITATION Fur04 \l 17417 ]. One
conclusion to be conclude is that the graphical password is better than text-based password in terms of security and
memorability. In addition, it is shown that the graphical password scheme has better resistance to major password
attacks than others. This claim can also be supported by similar researched done by [ CITATION Wei16 \l 17417 ],
[ CITATION Kol15 \l 17417 ], [ CITATION Bid11 \l 17417 ]. Moreover, graphical passwords offer a larger symbol
space over text-based passwords. Thereby, it is preferable in smart devices [ CITATION Aza16 \l 17417 ]. These
studies have found a similar result as[ CITATION Das16 \l 17417 ] stated that graphical password is suitable for
android unlock scheme or mobile application passcode which it is the only graphical password scheme being largely
used in smart phones because the scheme is easy to use.

Despite the fact that graphical authentication has been proposed as a possible alternative solution to text-based
authentication, existing graphical password schemes are also vulnerable to various attacks and threats, namely shoulder
surfing, smudge attack, brute force attack, intersection attack, reflection attack and etcetera [ CITATION Ira02 \l
17417 ]. [ CITATION Aza16 \l 17417 ] holds the same view that shoulder surfing and spyware attacks are common
threat to different graphical password schemes. As we can observe, Android unlock scheme is not utilize in online
systems for authentication because of its security weaknesses. Secure graphical password schemes have timing and
adoptability issues. Such schemes require large amount of physical and mental work to do for authentication and users
must remember different kinds of passwords that is why many usability issues arises. Some vulnerabilities of the
Android pattern lock screen were exposed by [ CITATION Aya12 \l 17417 ], with the use of a camera, smudge attacks
were performed on smartphone screens to recover traces and oily residues left by their owners. The overall password
space of the authentication scheme was also calculated (using brute force methods). The authors in [ CITATION And16
\l 17417 ]. An replicated these experiments and were particularly interested in human factors that might affect the
choice of a pattern. They investigated the occurrence of specific attributes such as sub-patterns and starting points and
combined smudge attacks with their conclusions to reveal patterns drawn on smartphones. In a recent work,
[ CITATION Ala15 \l 17417 ] studied the user preferences for the patterns of authentication scheme with a bigger group
of respondents. They evaluated the strength of the patterns and argued that even a small change in the pattern layout
can make the authentication more secure.

Major available graphical password schemes fail to prevent from different attacks, which has been identified in
above. Thus, there is the need of research gap to be fulfill and investigate in this paper. The proposed system of mobile
application passcode can help tackle the major prominent attacks such as smudge attack, intersection attacks, reflection
attacks and many more.

3. Problem Statement

1) Poor protection of graphical password scheme due to the vulnerability of security attacks.

Based on the research background, graphical password is much better than textual password however it is still
vulnerable to attack. Most of the security attacks are smudge attack, shoulder surfing attack, reflection and intersection
attack. Firstly, the Smudge attack which is hard to tackle the attack. Analyzing and accumulating the oily smudges is
possible when the remaining oily residues or smudges is left when users enter their password, even with a camera on a
smart device[ CITATION Aza16 \l 17417 ]. Next, the shoulder surfing attack can be considered as a prominent threat
due to the attacker used high resolution camera to capture the password through glancing over the shoulder. It can also
be done by eavesdropping in private conversations. Moreover, the password scheme is more vulnerable to the shoulder
surfing when the smart phones is located in a crowd which it is difficult to detect who is glancing over the screen. A

4
recent study found that using a variety of lighting angles and light sources as well as various camera angles (60◦ angle
for the best output) set up with respect to the orientation of the phone, it is possible to partially unlock a screen around
92% of cases, and fully in around 68% cases [ CITATION Kit13 \l 17417 ]. It is also possible to determine a graphical
password from the reflection (especially 60◦ angle) on a sunglass of a user, which is known as reflection attack. In
addition to aforementioned attacks, most of the image-based graphical passwords are also vulnerable to another attack,
namely intersection attack. In the image-based graphical password, a set of images is given as a part of confronting and
decoy icon, which are distorted in every round[ CITATION Aya12 \l 17417 ].

2) Less feasibility of the graphical password scheme due to the interface of user authentication.

Furthermore, the problems arise is based on the feasibility of the authentication interface. As we can observe, the
little screen size on the smartphones give difficulty to those users who are using text-based password scheme, as
example the tiny size on screen keyboard and limited length password. Those who have problems with fat-finger and
weak vision also face the same issues to unlock the passcode. Due to the difficulty face by users, typing turn out to be
inefficient and less accurate. In many psychological studies, it has been observed that people can easily remember
images more than textual schemes; thus, it less likely to be jotted down [ CITATION Fur04 \l 17417 ]. Therefore, the
proposed passcode scheme will enlarge the size of the pattern grid and give the user good feasibility.

4. Aims and Objectives

This research aims to enhance the security of graphical password for mobile application passcode. The research
objectives are based on the research questions.

1) To identify the prominent attacks towards the graphical passwords for a better protection of user
authentication.

2) To evaluate the threats and different type of security attacks towards the graphical passwords for a better
protection of user authentication.

3) To develop a proposed interface scheme for improving the feasibility of user authentication.

5. Research Questions

1) What are the common threats of those security attacks of the passcode?

2) How does the current graphical password scheme affect the security of the passcode?

3) Which interface design perform best when used in improving the feasibility of graphical password scheme?

6. Significance of the work

This research is important for the development of Malaysia in driving towards developed nation and the global ICT
hub. Based on 11th Malaysia Plan (RMK11), the government is looking forward to increasing the ICT contribution to 17
percent from recent RMK10 in gross domestic product [ CITATION Pri18 \l 17417 ]. Thus, high security protection is
necessary to secure the government system from the security breach. It must be started from the people or community
itself. Each individual holds the responsibility to protect their own data and information from being exposed. The
individual data must be protected in a very secure way to reduce the cyber-crime in Malaysia. Nowadays, mobile
applications are common technology and most of the company including the government sectors used mobile
application to ease the business Therefore, the implementation of graphical password on each mobile application
passcode is needed to secure the applications that are being used. The uses of VAP code will be aligned with the
security culture which it facilitates the social well-being and stability as mentioned under National Cyber Security
Policy[ CITATION Min19 \l 17417 ]. The authentication scheme in this research is crucial to create awareness to the
community in protecting their own data and avoid the confidential data from being stolen. By doing this, it will also
meet the key functions of Malaysia Cyber Security Center to spread the awareness globally about the information
security[ CITATION Min191 \l 17417 ].

7. Methodology

5
 Our work aims to enhance the security of graphical password for mobile application passcode. Our goal is to
identify the prominent security attacks towards the graphical passwords and develop a proposed interface scheme for
improving the feasibility of user authentication. Therefore, the methodology and the research design were being
conducted to obtain the valid data, gain the exact information and deduce a conclusion about the system that will be
proposed. This can be done by using quantitative research as it is direct investigation towards the research questions
using the scientific methods. The data will be collected in numerical and needs to be analyzed the data in a proper way
according to its analysis techniques[ CITATION USC19 \l 17417 ]. The main reason of using the quantitative research
is to acquire a clear and measurable facts based on the user satisfaction on using graphical password scheme.

Through the quantitative research, a structured questionnaire survey will be conducted. This data collection method
is chosen because of the questions will be formulated in a straightforward manner and it provide the higher levels of
objectivity. Moreover, it is flexible, easy and inexpensive way to distribute the questions and there is no time limit for
the respondents to complete the questionnaires. This factor puts less pressure on the respondents to answer the
questions, plus having the leisure to take time to ponder about the question, hence giving a more precise answer
[ CITATION Ste16 \l 17417 ]. Specifically, the answers are gathered through closed-ended questions with multiple
choice questions and scaled questions with the seven-point scales. This type of questions provides the outcome of
higher responses rates and allows the researcher to directly compare the data and interpret it. However, the closed-ended
questions could lead to bias since it has no statistical significance due to the limited offered answers. Thus, open-ended
questions are also used to get a free-form answer and user opinion about the proposed system.

According to [ CITATION Mah17 \l 17417 ], the bigger the sample size, the more information we gain and thus
our uncertainty decreases. With the minimum of 400 respondents, the data is collected through random sampling design
to get a precise representation of wide population. As stated by [ CITATION Mah17 \l 17417 ], sample is a part of
elements taken from a population and considered as a representative of the population. Hence, each person in the
population has an equal chance of being choose randomly according to the criteria that needed in this study. Based on
the scenario, a total of 400 respondents (age from 18 to 50) from various demography including employees, students,
lecturers, staffs and instructors in Technology Park Malaysia (TPM), who has been used smartphones for at least one
year. The respondents had a wide range of background such as information technology, business, accounting,
engineering, economics and math.

In order to conduct a survey, Google Forms and printed forms are used to gather data from the users. The
questionnaire is break down to three parts which the first part is made to collect background information of the users
and their behavior of using the smartphones. The second part is created to identify the security issue, and the last part is
designed to know their experience of using authentication scheme and the level of satisfaction. After merging the data
from different sources, the cleaning part had taken over where the researcher removes any invalid data, redundancy and
incomplete data. Then, the data is being analyzed by looking for relations and patterns within data. With the help of
Microsoft Excel, it is convenient and easy tools to interpret the data. Method to analyze the data for the entire
questionnaires is using descriptive statistics as it is the quickest way to capture the means and standard deviations. The
process is straightforward as it can organize the columns properly including the empty cells [ CITATION Jen04 \l
17417 ].

8. Overview of the Proposed System

In this research paper, I propose to use VAP code for the enhancement of the mobile application passcode. VAP
stands for Vibration And Pattern code which combining two techniques; vibration code and pattern lock techniques.
The proposed passcode scheme is derived from the existing vibration technique to a unique code and merge it with a
pattern locking system. The main purpose to combine the techniques are to provide a larger area of password scheme
and strengthen the security of mobile application from being attack. The interface or the grid of the passcode scheme
will be utilized using only four rectangle cells in Figure 1 to gives larger cell area. The main purpose is to meet the
research objectives in terms of giving the user a good feasibility interface. Furthermore, it is difficult to conduct the
vibration code within the smaller sensing area. One major benefit of this proposed system is there will be no extra
hardware except for the smartphones and tablets. The software used to build this passcode is Android Studio platform
because it is easy to use, effective and actively in the android development. With android studio, it is more to easier to
design the interface of passcode because the design tools respond to changes faster[ CITATION Meh15 \l 17417 ].
Moreover, android studio saves more time in coding the passcode scheme as it has the feature like code completion to

6
ease the process of making the VAP code. The programming language in creating the new vibration code is by using
Java. Java compiler is good choice in the android studio since it has a lot of libraries that support and a runtime.

9. Conclusion

In a nutshell, the existing passcode mechanism is not enough to offer a protection against the different types of
prominent attack. By proposing the new scheme using the VAP code, it could give a better performance in terms of the
usability and the security. The passcode scheme will be implemented in any android platform after the reliability of the
system have been confirmed based on the analysis of user testing. For the future work, the developer will implement
this VAP code in iOS thus it can be used in both platforms. However, this passcode scheme will need to improvise as in
the future the attackers may have way to break the code.

10. References

[1] H. Weisbaum, "Most Americans don’t secure their smartphones," 2014. [Online]. Available: https://www.cnbc.com/2014/04/26/most-americans-dont-secure-
their-smartphones.html. [Accessed 25 April 2019].

[2] S. Z. Nizamani, S. R. Hassan, M. Z. Jali and T. J. Khanzada, "A Text based Authentication Scheme for Improving Security of Textual Passwords,"
International Journal of Advanced Computer Science and Applications, vol. 8, no. 7, pp. 513-521, 2017.

[3] R. Biddle, S. Chiasson and P. v. Oorschot, "Graphical Passwords: Learning from the First Twelve Years," Journal School of Computer Science, vol. 1, no. 1,
pp. 1-25, 2011.

[4] O. Ayannuga, "A Review of the Security and Usability Features of Different Graphical Password Authentication Schemes B," African Journal of Computing
& ICT, vol. 5, no. 5, pp. 99-112, 2012.

[5] P. Andriotis, G. Oikonomou, A. Mylonas and T. Tryfonas , "A study on usability and security features of the Android pattern lock screen," Information &
Computer Security, vol. 24, no. 1, pp. 53-72, 2016.

[6] A. H. Lashkari, "A survey on usability and security features in graphical user authentication algorithms," International Journal of Computer Science and
Network Security, vol. 9, no. 9, pp. 192-204, 2009.

[7] A. Das and H. U. khan, "Security behaviors of smartphone users," Information & Computer Security, vol. 24, no. 1, pp. 116-134, 2016.

[8] S. Furnell, I. Papadopoulas and P. Dowland, "A long-term trial of alternative user authentication technologies," Information Management & Computer
Security, vol. 12, no. 2, pp. 178-190, 2004.

[9] W. Meng, "Evaluating the effect of multi-touch behaviours on Android unlock patterns," Information & Computer Security, vol. 24, no. 3, pp. 277-287, 2016.

[10] V. K. Kolekar and M. B. Vaidya, "A Review of Captcha and Graphical Passwords to Enhance Security and Usability to Next Level," International Journal of
Science and Research (IJSR), vol. 4, no. 5, pp. 3271-3274, 2015.

[11] S. Azad, M. Rahman, M. N. Ranak, B. K. Ruhee, N. N. Nisa, N. Kabir and A. Rahman, "vap code: A secure graphical password for smart devices," Computers
and Electrical Engineering, vol. 11, no. 2, pp. 1-21, 2016.

[12] I. Irakleous, S. Furnell, P. Dowland and M. Papadaki, "An experimental comparison of secret-based user authentication technologies," Information
Management & Computer Security, vol. 10, no. 3, pp. 100-108, 2002.

[13] F. Alain, S. Chiasson and R. Biddle, "User-centred authentication feature framework," Information & Computer Security, vol. 23, no. 5, pp. 497-515, 2015.

[14] Y. Kita, F. Sugai , M. Park and N. Okazaki, "Proposal and its Evaluation of a Shoulder-Surfing Attack Resistant," The Society of Digital Information and
Wireless Communications, vol. 2, no. 1, pp. 48-55, 2013.

[15] Privacy Shield, "Malaysia - Information & Communications Technology," 2018. [Online]. Available: https://www.privacyshield.gov/article?id=Malaysia-
Information-Communications-Technology. [Accessed 15 April 2019].

[16] Ministry of Science, Technology and Innovation, "The National Cyber Security Policy," 2019. [Online]. Available: https://www.sbs.ox.ac.uk/cybersecurity-
capacity/system/files/Malaysia%20Cyber%20Security%20Policy.pdf. [Accessed 15 April 2019].

[17] Ministry of Science, Technology And Innovation, "National Cyber Security," 2019. [Online]. Available: https://cnii.cybersecurity.my/main/ncsp/NCSP-
Policy2.pdf. [Accessed 15 April 2019].

[18] USC Libraries, "Organizing Your Social Sciences Research Paper: Quantitative Methods," 2019. [Online]. Available:
https://libguides.usc.edu/writingguide/quantitative. [Accessed 20 April 2019].

[19] S. Debois, "9 Advantages and Disadvantages of Questionnaires," 2016. [Online]. Available: https://surveyanyplace.com/questionnaire-pros-and-cons/.
[Accessed 4 5 2018].

[20] J. M. Maher, J. C. Markey and D. E. May, "Effect Size Analysis in Quantitative Research," CBE—Life Sciences Education, vol. 12, no. 3, pp. 101-121, 2017.

[21] J. Leahy, "Using Excel for Analyzing Survey Questionnaires," 2004. [Online]. Available: https://learningstore.uwex.edu/assets/pdfs/G3658-14.pdf. [Accessed
20 April 2019].

7
[22] M. Rajput, "Why Android Studio Is Better For Android Developers Instead Of Eclipse," 2015. [Online]. Available: https://dzone.com/articles/why-android-
studio-better. [Accessed 18 April 2019].

11. Appendices

8
Table 1 : Research Question and Research Objective

9
 Figure 1: 2x2 pattern grid of VAP code

Figure 2 : Turnitin Percentages

RMCT Marking Sheet Student Name: Amni Amira Binti Redzuan

Student ID: TP043736
Criteria weig

C1 English Writing, Grammar and Spelling 5

10
C2 Background of the Research/Literature Review 20

C3 Problem Statement and Research Questions 10

C4 Aim & Objectives 10

C5 Justification of the Research 10

C6 Research Methodology 10

C7 Overview of Proposed System 10

C8 Citations and References 5

C9 Presentation 10
Presentation
(20%)

C10 Slides Quality 5

C11 Questions and Answers 5
Total Mark of this assignment * 100

Comments:

________________________________________________________________________________________________
________________________________________________________________________________________________
_______________________________________________________________________

11