GuarDroid : A Trusted Path for Password Entry

Sensitive online transactions are now frequently executed using smartphone clients. Whereas users of personal computers execute these transactions in a browser, smartphone users tend to use installed apps. These apps use username and password pairs as the primary authentication method and may come from untrusted parties, opening users up to attacks that steal user’s passwords. We present GuarDroid, a system that protects user’s password from untrusted apps. The key idea is to prevent apps from seeing passwords directly and establishing a trusted path between the user and the service that leverages the smartphone operating system as a trusted computing base. Our system does not require any modifications to existing apps or services, while still providing users with high assurances that they are not providing sensitive passwords to a rogue app.

[1]  Sean W. Smith,et al.  Trusted paths for browsers , 2002, TSEC.

[2]  Drummond Reed,et al.  OpenID 2.0: a platform for user-centric identity management , 2006, DIM '06.

[3]  Paul C. van Oorschot,et al.  Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer , 2007, Financial Cryptography.

[4]  Michael K. Reiter,et al.  Flicker: an execution infrastructure for tcb minimization , 2008, Eurosys '08.

[5]  Michael K. Reiter,et al.  Safe Passage for Passwords and Other Sensitive Data , 2009, NDSS.

[6]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[7]  Eran Hammer-Lahav,et al.  The OAuth 1.0 Protocol , 2010, RFC.

[8]  Shashi Shekhar,et al.  QUIRE: Lightweight Provenance for Smart Phone Operating Systems , 2011, USENIX Security Symposium.

[9]  A. Porter Phishing on Mobile Devices , 2011 .

[10]  Christopher Krügel,et al.  PiOS: Detecting Privacy Leaks in iOS Applications , 2011, NDSS.

[11]  Markus Jakobsson,et al.  SpoofKiller: You Can Teach People How to Pay, but Not How to Pay Attention , 2012, 2012 Workshop on Socio-Technical Aspects in Security and Trust.

[12]  Zhi Xu,et al.  TapLogger: inferring user inputs on smartphone touchscreens using on-board motion sensors , 2012, WISEC '12.

[13]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[14]  Hao Chen,et al.  On the Practicality of Motion Based Keystroke Inference Attack , 2012, TRUST.