I think out in the real world they are insecure because it's easy to shoulder-surf and get a peek at the pattern being input. Overall they are probably similar to pin codes... some people just have 0000 as their pins, or draw an L for a pattern.

Sending a phone in for repair negates the shoulder-surf issue but yeah.

Perhaps Google just has a backdoor.

I think it's easy to guess patterns because people all use one of a small number of simple patterns. Everyone uses the geometrical equivalent of hunter2 or 123456, but they irrationally think it's more secure because it's a pattern.

Why?

1. Easy to view & remember. 2. The oil smear is visible in reflected light, and that pattern is not quickly overwritten by using the device. 3. Typical gesture patterns mean gestures start from similar positions (high) and are frequently unoriginal. 4. Gestures are simpler than the equivalent code (e.g. the passcodes 1397 and 1235987 are gesturally identical) 5. In practice the reality of finger sizes mean that join-the-dots encourages users to draw a gesture using only adjacent dots (e.g. connecting dot 1 to 2, 4 or 5, rather than 1 to 6 or 8.)

probably because there are a few "popular" patterns that many people use.