A group of researchers at Duke University have created a new tool designed to keep malicious applications from stealing user passwords from smartphones running Google Android.
Dubbed ScreenPass, the code runs as part of the phone’s operating system and works as a crossing guard of sorts between local apps and remote servers.
“Users routinely access cloud services through third-party apps on smartphones by giving apps login credentials (i.e., a username and password),” the team wrote in a paper outlining their research. “Unfortunately, users have no assurance that their apps will properly handle this sensitive information.”
“ScreenPass secures passwords by ensuring that they are entered securely, and uses taint-tracking to monitor where apps send password data,” the paper explains. “The primary technical challenge addressed by ScreenPass is guaranteeing that trusted code is always aware of when a user is entering a password.”
According to the researchers, ScreenPass does this by including a trusted software keyboard so users can specify their passwords’ domains as they are entered as a means of tagging the password and by performing optical character recognition on a device’s screen buffer to ensure that the passwords are entered only through the trusted software keyboard.
While Google Android and Apple iOS offer integrated account services for various services such as Google, Twitter and Facebook, those account services do not prevent malicious apps from asking a user for their login credentials, the researchers noted.
“If a malicious app can trick a user into inputting their password through a fake keyboard, then there is no way to guarantee that an app’s password is sent only to the right servers,” Duke computer scientist Landon Cox, one of the authors of the tool, told Duke Today in an interview. “If ScreenPass detects an untrusted keyboard, then an app may be trying to “spoof” the secure keyboard in order to steal the user’s password.”
The team’s paper can be read here.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- In Other News: New Analysis of Snowden Files, Yubico Goes Public, Election Hacking
- China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
- Air Canada Says Employee Information Accessed in Cyberattack
- BIND Updates Patch Two High-Severity DoS Vulnerabilities
- Faster Patching Pace Validates CISA’s KEV Catalog Initiative
- SANS Survey Shows Drop in 2023 ICS/OT Security Budgets
- Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones
- New ‘Sandman’ APT Group Hitting Telcos With Rare LuaJIT Malware
