Touch Screen Password Guessing by Fingerprint Trace

This is known as a 'Smudge Attack'

It really depends on how much you've used your phone since you've last unlocked it, but the general principle still stands. If you use the pattern feature of Android phones, this can be particularly obvious.

The University of Pennsylvania published a research paper on the topic and basically concluded that they could figure out the password over 90 percent of the time.

The study also found that “pattern smudges,” which build up from writing the same password numerous times, are particularly recognizable.

Furthermore:

“We showed that in many situations full or partial pattern recovery is possible, even with smudge ‘noise’ from simulated application usage or distortion caused by incidental clothing contact,”

While this is a plausible risk, It is not a particularly practical vulnerability as an attacker needs physical access to your phone. Using a PIN Code over a pattern may reduce the chance of this presenting a threat but it still exists depending on the strength of your PIN and the cleanliness of your hands/screen. However, these same researchers postulate another possible attack using the heat residue left by contact between your fingers and the screen which would be another problem altogether.

Obviously, cleaning your screen after every use is a practical (and not too difficult) defense against this specific attack. I'd expect that if you have used your phone (say to make calls/send a message/any kind of web browsing) it would also sufficiently obfuscate the patterns/codes. From examining my screen this seems to be the case.

One way to mitigate smudge attacks on smart phones is with an application called WhisperCore. It arranges the numbers vertically and it then asks you to wipe the screen in order to unlock the phone, obfuscating the original smudges.

If you use a pattern to lock your phone, after you input the correct pattern, it a screen full of stars. Swipe the highlighted stars to unlock the phone, again obfuscating the original smudge pattern.

Of course, the application basically works as a mandatory reminder to wipe your screen, but it's doing it in a way that makes less annoying to wipe your screen every time you unlock your phone.

Image source: Android Police

There was a paper (will try and find it) that gave a very good explanation of a security improvement:

Using one of the digits at least twice, in a pass code of more than 4 digits

Basically, the "swipe a pattern" option is very easy to see - even at a distance it can be shoulder surfed. Have a look at this paper for some interesting information on techniques.

A 4 digit pin is what most users end up choosing, if they use the pin option, so it is what most attackers will try, and holding the phone up to the light lets you see the pin quite clearly. If however you have a 6 digit pin where 2 of the digits are used twice, the attack space becomes quite challenging, as the attacker doesn't know whether you use a 4 digit pin, a 5 or even more - they are likely to start with a 4 and are more likely to lock the phone than get into it.