We show that the new hover (floating touch) technology, available in a number of today's smartphone models, can be abused by malicious Android applications to record all touchscreen input into applications system-wide. Leveraging this attack, a malicious application running on the system is able to capture sensitive input such as passwords and PINs, record all user's social interactions, as well as profile user's behavior. To evaluate our attack we implemented Hoover, a proof-of-concept malicious application that runs in the background and records all input to all foreground applications. We evaluated Hoover with 20 users, across two different Android devices and two input methods, stylus and finger. In the case of touchscreen input by finger, Hoover estimated the positions of users' clicks within an error of 100 pixels and keyboard input with an accuracy of 79%. Hoover captured users' input by stylus even more accurately, estimating users' clicks within 2 pixels and keyboard input with an accuracy of 98%. Differently from existing well-known side channel attacks, this is the first work that proves the security implications of the hover technology and its potential to steal all user inputs with high granularity. We discuss ways of mitigating this attack and show that this cannot be done by simply restricting access to permissions or imposing additional cognitive load on the users since this would significantly constrain the intended use of the hover technology.

Using hover to compromise the confidentiality of user input on Android / Ulqinaku, Enis; Malisa, Luka; Stefa, Julinda; Mei, Alessandro; Capkun, Srdjan. - STAMPA. - 10:(2017), pp. 12-22. (Intervento presentato al convegno 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2017 tenutosi a Boston, MA, USA nel 2017) [10.1145/3098243.3098246].

Using hover to compromise the confidentiality of user input on Android

ULQINAKU, ENIS;Stefa, Julinda;Mei, Alessandro;
2017

Abstract

We show that the new hover (floating touch) technology, available in a number of today's smartphone models, can be abused by malicious Android applications to record all touchscreen input into applications system-wide. Leveraging this attack, a malicious application running on the system is able to capture sensitive input such as passwords and PINs, record all user's social interactions, as well as profile user's behavior. To evaluate our attack we implemented Hoover, a proof-of-concept malicious application that runs in the background and records all input to all foreground applications. We evaluated Hoover with 20 users, across two different Android devices and two input methods, stylus and finger. In the case of touchscreen input by finger, Hoover estimated the positions of users' clicks within an error of 100 pixels and keyboard input with an accuracy of 79%. Hoover captured users' input by stylus even more accurately, estimating users' clicks within 2 pixels and keyboard input with an accuracy of 98%. Differently from existing well-known side channel attacks, this is the first work that proves the security implications of the hover technology and its potential to steal all user inputs with high granularity. We discuss ways of mitigating this attack and show that this cannot be done by simply restricting access to permissions or imposing additional cognitive load on the users since this would significantly constrain the intended use of the hover technology.
2017
10th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2017
Android; Attack; Hover technology; User input; Computer Networks and Communications; Safety, Risk, Reliability and Quality
04 Pubblicazione in atti di convegno::04b Atto di convegno in volume
Using hover to compromise the confidentiality of user input on Android / Ulqinaku, Enis; Malisa, Luka; Stefa, Julinda; Mei, Alessandro; Capkun, Srdjan. - STAMPA. - 10:(2017), pp. 12-22. (Intervento presentato al convegno 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2017 tenutosi a Boston, MA, USA nel 2017) [10.1145/3098243.3098246].
File allegati a questo prodotto
File Dimensione Formato  
Stefa_Using_2017.pdf

solo gestori archivio

Tipologia: Versione editoriale (versione pubblicata con il layout dell'editore)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 759.21 kB
Formato Adobe PDF
759.21 kB Adobe PDF   Contatta l'autore

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11573/1022997
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 5
  • ???jsp.display-item.citation.isi??? 3
social impact