A group of researchers at Duke University have created a new tool designed to keep malicious applications from stealing user passwords from smartphones running Google Android.
Dubbed ScreenPass, the code runs as part of the phone’s operating system and works as a crossing guard of sorts between local apps and remote servers.
“Users routinely access cloud services through third-party apps on smartphones by giving apps login credentials (i.e., a username and password),” the team wrote in a paper outlining their research. “Unfortunately, users have no assurance that their apps will properly handle this sensitive information.”
“ScreenPass secures passwords by ensuring that they are entered securely, and uses taint-tracking to monitor where apps send password data,” the paper explains. “The primary technical challenge addressed by ScreenPass is guaranteeing that trusted code is always aware of when a user is entering a password.”
According to the researchers, ScreenPass does this by including a trusted software keyboard so users can specify their passwords’ domains as they are entered as a means of tagging the password and by performing optical character recognition on a device’s screen buffer to ensure that the passwords are entered only through the trusted software keyboard.
While Google Android and Apple iOS offer integrated account services for various services such as Google, Twitter and Facebook, those account services do not prevent malicious apps from asking a user for their login credentials, the researchers noted.
“If a malicious app can trick a user into inputting their password through a fake keyboard, then there is no way to guarantee that an app’s password is sent only to the right servers,” Duke computer scientist Landon Cox, one of the authors of the tool, told Duke Today in an interview. “If ScreenPass detects an untrusted keyboard, then an app may be trying to “spoof” the secure keyboard in order to steal the user’s password.”
The team’s paper can be read here.