Thieves can decipher the secret codes by tracking motion sensors and extract personal details - including online banking data.
Smartphones and tablets now come with more than two dozen internal sensors used for anything from gaming to GPS.
Analysing the movement of the device as we type in information researchers cracked four-digit PINs with 70 percent accuracy on the first guess using only the data collected via the sensors. By the fifth guess the success rate was 100 percent.
The study found each user touch action - clicking, scrolling, holding and tapping - induces a unique orientation and motion trace.
On a known webpage the team were able to determine what part the user was clicking on - and what they were typing.
Computer scientist Dr Siamak Shahandashti, of Newcastle University, said: “It’s a bit like doing a jigsaw - the more pieces you put together the easier it is to see the picture.
“Depending on how we type - whether you hold your phone in one hand and use your thumb, or perhaps hold with one hand and type with the other, whether you touch or swipe - the device will tilt in a certain way and it’s quite easy to start to recognise tilt patterns associated with ‘Touch Signatures’ that we use regularly.
“So the internal sensors each provide a different bit of the jigsaw. Personal fitness trackers which you wear on your wrist and, by their very nature, are designed to track the movement of your hand and pass information to your online profile pose a whole new threat.
“Potentially, they are able to provide additional information which, when combined with this sensor data, will make it even easier to decipher personal information.”
It reveals how easy it is to use malicious websites - as well as installed apps - to spy on us using just the information from the sensors.
Sensors are now commonplace in smart devices and are largely responsible for the boom in mobile gaming and health and fitness apps, and soon in all devices using the Internet of Things (IoT).
Dr Mehrnezhad said there are some simple rules people should follow:
- Make sure you change PINs and passwords regularly so malicious websites can’t start to recognise a pattern.
- Close background apps when you are not using them and uninstall apps you no longer need.
- Keep your phone operating system and apps up to date.
- Only install applications from approved app stores.
- Audit the permissions that apps have on your phone.
- Scrutinise the permission requested by apps before you install them and choose alternatives with more sensible permissions if needed.