We show that the new hover (floating touch) technology, available in a number of today's smartphone models, can be abused by malicious Android applications to record all touchscreen input into applications system-wide. Leveraging this attack, a malicious application running on the system is able to capture sensitive input such as passwords and PINs, record all user's social interactions, as well as profile user's behavior. To evaluate our attack we implemented Hoover, a proof-of-concept malicious application that runs in the background and records all input to all foreground applications. We evaluated Hoover with 20 users, across two different Android devices and two input methods, stylus and finger. In the case of touchscreen input by finger, Hoover estimated the positions of users' clicks within an error of 100 pixels and keyboard input with an accuracy of 79%. Hoover captured users' input by stylus even more accurately, estimating users' clicks within 2 pixels and keyboard input with an accuracy of 98%. Differently from existing well-known side channel attacks, this is the first work that proves the security implications of the hover technology and its potential to steal all user inputs with high granularity. We discuss ways of mitigating this attack and show that this cannot be done by simply restricting access to permissions or imposing additional cognitive load on the users since this would significantly constrain the intended use of the hover technology.
Using hover to compromise the confidentiality of user input on Android / Ulqinaku, Enis; Malisa, Luka; Stefa, Julinda; Mei, Alessandro; Capkun, Srdjan. - STAMPA. - 10:(2017), pp. 12-22. (Intervento presentato al convegno 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2017 tenutosi a Boston, MA, USA nel 2017) [10.1145/3098243.3098246].
Using hover to compromise the confidentiality of user input on Android
ULQINAKU, ENIS;Stefa, Julinda;Mei, Alessandro;
2017
Abstract
We show that the new hover (floating touch) technology, available in a number of today's smartphone models, can be abused by malicious Android applications to record all touchscreen input into applications system-wide. Leveraging this attack, a malicious application running on the system is able to capture sensitive input such as passwords and PINs, record all user's social interactions, as well as profile user's behavior. To evaluate our attack we implemented Hoover, a proof-of-concept malicious application that runs in the background and records all input to all foreground applications. We evaluated Hoover with 20 users, across two different Android devices and two input methods, stylus and finger. In the case of touchscreen input by finger, Hoover estimated the positions of users' clicks within an error of 100 pixels and keyboard input with an accuracy of 79%. Hoover captured users' input by stylus even more accurately, estimating users' clicks within 2 pixels and keyboard input with an accuracy of 98%. Differently from existing well-known side channel attacks, this is the first work that proves the security implications of the hover technology and its potential to steal all user inputs with high granularity. We discuss ways of mitigating this attack and show that this cannot be done by simply restricting access to permissions or imposing additional cognitive load on the users since this would significantly constrain the intended use of the hover technology.| File | Dimensione | Formato | |
|---|---|---|---|
|
Stefa_Using_2017.pdf
solo gestori archivio
Tipologia:
Versione editoriale (versione pubblicata con il layout dell'editore)
Licenza:
Tutti i diritti riservati (All rights reserved)
Dimensione
759.21 kB
Formato
Adobe PDF
|
759.21 kB | Adobe PDF | Contatta l'autore |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
