Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Duke Researchers Develop Tool to Protect User Passwords on Android

A group of researchers at Duke University have created a new tool designed to keep malicious applications from stealing user passwords from smartphones running Google Android.

Dubbed ScreenPass, the code runs as part of the phone’s operating system and works as a crossing guard of sorts between local apps and remote servers.

A group of researchers at Duke University have created a new tool designed to keep malicious applications from stealing user passwords from smartphones running Google Android.

Dubbed ScreenPass, the code runs as part of the phone’s operating system and works as a crossing guard of sorts between local apps and remote servers.

“Users routinely access cloud services through third-party apps on smartphones by giving apps login credentials (i.e., a username and password),” the team wrote in a paper outlining their research. “Unfortunately, users have no assurance that their apps will properly handle this sensitive information.”

“ScreenPass secures passwords by ensuring that they are entered securely, and uses taint-tracking to monitor where apps send password data,” the paper explains. “The primary technical challenge addressed by ScreenPass is guaranteeing that trusted code is always aware of when a user is entering a password.”

According to the researchers, ScreenPass does this by including a trusted software keyboard so users can specify their passwords’ domains as they are entered as a means of tagging the password and by performing optical character recognition on a device’s screen buffer to ensure that the passwords are entered only through the trusted software keyboard.

While Google Android and Apple iOS offer integrated account services for various services such as Google, Twitter and Facebook, those account services do not prevent malicious apps from asking a user for their login credentials, the researchers noted.

“If a malicious app can trick a user into inputting their password through a fake keyboard, then there is no way to guarantee that an app’s password is sent only to the right servers,” Duke computer scientist Landon Cox, one of the authors of the tool, told Duke Today in an interview. “If ScreenPass detects an untrusted keyboard, then an app may be trying to “spoof” the secure keyboard in order to steal the user’s password.”

The team’s paper can be read here.

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Cyberwarfare

Google Project Zero has disclosed the details of three Samsung phone vulnerabilities that have been exploited by a spyware vendor since when they still...