CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Duke Researchers Develop Tool to Protect User Passwords on Android

A group of researchers at Duke University have created a new tool designed to keep malicious applications from stealing user passwords from smartphones running Google Android.

Dubbed ScreenPass, the code runs as part of the phone’s operating system and works as a crossing guard of sorts between local apps and remote servers.

A group of researchers at Duke University have created a new tool designed to keep malicious applications from stealing user passwords from smartphones running Google Android.

Dubbed ScreenPass, the code runs as part of the phone’s operating system and works as a crossing guard of sorts between local apps and remote servers.

“Users routinely access cloud services through third-party apps on smartphones by giving apps login credentials (i.e., a username and password),” the team wrote in a paper outlining their research. “Unfortunately, users have no assurance that their apps will properly handle this sensitive information.”

“ScreenPass secures passwords by ensuring that they are entered securely, and uses taint-tracking to monitor where apps send password data,” the paper explains. “The primary technical challenge addressed by ScreenPass is guaranteeing that trusted code is always aware of when a user is entering a password.”

According to the researchers, ScreenPass does this by including a trusted software keyboard so users can specify their passwords’ domains as they are entered as a means of tagging the password and by performing optical character recognition on a device’s screen buffer to ensure that the passwords are entered only through the trusted software keyboard.

While Google Android and Apple iOS offer integrated account services for various services such as Google, Twitter and Facebook, those account services do not prevent malicious apps from asking a user for their login credentials, the researchers noted.

“If a malicious app can trick a user into inputting their password through a fake keyboard, then there is no way to guarantee that an app’s password is sent only to the right servers,” Duke computer scientist Landon Cox, one of the authors of the tool, told Duke Today in an interview. “If ScreenPass detects an untrusted keyboard, then an app may be trying to “spoof” the secure keyboard in order to steal the user’s password.”

The team’s paper can be read here.

Advertisement. Scroll to continue reading.
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.