You shouldn’t collect my secrets: Thwarting sensitive keystroke leakage in mobile IME apps

Proceedings of the 24th USENIX Security Symposium

Volumn , Issue , 2015, Pages 675-690

  Chen, Jin ^a   Chen, Haibo ^a   Bauman, Erick ^b   Lin, Zhiqiang ^b   Zang, Binyu ^a   Guan, Haibing ^a  

^a SHANGHAI JIAO TONG UNIVERSITY   (China)

^b The University of Texas at Dallas   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

TOUCH SCREENS;

DESIGNING SYSTEMS; INPUT METHOD EDITORS; PROOF OF CONCEPT; RUNTIME OVERHEADS; SECURITY POLICY; SENSITIVE DATAS; SENSITIVE INFORMATIONS; SYSTEMATIC STUDY;

USER INTERFACES;

EID: 85031668420     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (51)

1. Free Chinese-made software poses security risk. http://www.japantimes.co.jp/news/2013/12/26/national/chinesemade-computer-input-system-banned-in-government-agencies/#.U21w5 aPUS0.
2. smali-An assembler/disassembler for Android’s dex format. https://code.google.com/p/smali/.
3. Security enhancements in jelly bean. http://androiddevelopers.blogspot.jp/2013/02/security-enhancements-injelly-bean.html, 2013.
4. A. J. Aviv, B. Sapp, M. Blaze, and J. M. Smith. Practicality of accelerometer side channels on smartphones. In ACSAC, 2012.
5. BBC News. Salford woman makes bid for fastest text title. http://news.bbc.co.uk/local/manchester/hi/people and places/ newsid 8939000/8939790.stm, 2010.
6. A. Birgisson, M. Dhawan, U. Erlingsson, V. Ganapathy, and L. Iftode. Enforcing authorization policies using transactional memory introspection. In CCS, pages 223–234, 2008.
7. K. Borders, E. Vander Weele, B. Lau, and A. Prakash. Protecting confidential data on personal computers with storage capsules. In Usenix Security, 2009.
8. S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, A.-R. Sadeghi, and B. Shastry. Towards taming privilege-escalation attacks on android. In NDSS, 2012.
9. L. Cai and H. Chen. Touchlogger: inferring keystrokes on touch screen from smartphone motion. In HotSec, 2011.
10. J. J. K. Chan, K. W. Tan, L. Jiang, and R. K. Balan. The case for mobile forensics of private data leaks: Towards large-scale user-oriented privacy protection. In APSYS, 2013.
11. S. Chen, R. Wang, X. Wang, and K. Zhang. Side-channel leaks in web applications: A reality today, a challenge tomorrow. In Oakland, pages 191–206, 2010.
12. E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing inter-application communication in android. In MobiSys, pages 239–252. ACM, 2011.
13. China IT Research Center. Third-part IMEs usage stats in China for 2014 Q1. http://www.cnitresearch.com/content/201405/303.html, 2014.
14. L. P. Cox, P. Gilbert, G. Lawler, V. Pistol, A. Razeen, B. Wu, and S. Cheemalapati. Spandex: Secure password tracking for android. In USENIX Security, 2014.
15. M. Egele, C. Kruegel, E. Kirda, and G. Vigna. Pios: Detecting privacy leaks in ios applications. In NDSS, 2011.
16. W. Enck, P. Gilbert, B. Chun, L. Cox, J. Jung, P. McDaniel, and A. Sheth. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In OSDI, 2010.
17. W. Enck, P. Gilbert, S. Han, V. Tendulkar, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM TOCS, 32(2):5, 2014.
18. B. Ford and R. Cox. Vx32: Lightweight user-level sandboxing on the x86. In USENIX ATC, 2008.
19. T. Fraser, L. Badger, and M. Feldman. Hardening cots software with generic software wrappers. In Oakland, pages 2–16, 1999.
20. C. Gibler, J. Crussell, J. Erickson, and H. Chen. Androidleaks: automatically detecting potential privacy leaks in android applications on a large scale. In Trust, 2012.
21. I. Goldberg, D. Wagner, R. Thomas, and E. A. Brewer. A secure environment for untrusted helper applications confining the wily hacker. In USENIX Security, 1996.
22. M. Grace, Y. Zhou, Z. Wang, and X. Jiang. Systematic detection of capability leaks in stock android smartphones. In NDSS, 2012.
23. N. Hardy. The confused deputy:(or why capabilities might have been invented). SIGOPS Oper. Sys. Review, 22(4):36–38, 1988.
24. P. Hornyack, S. Han, J. Jung, S. Schechter, and D. Wetherall. These aren’t the droids you’re looking for: Retrofitting android to protect data from imperious applications. In CCS, 2011.
25. S. Jana, D. E. Porter, and V. Shmatikov. Txbox: Building secure, efficient sandboxes with system transactions. In Oakland, 2011.
26. T. Kim, X. Wang, N. Zeldovich, M. Kaashoek, et al. Intrusion recovery using selective re-execution. In OSDI, 2010.
27. T. Kim and N. Zeldovich. Practical and effective sandboxing for non-root users. In USENIX ATC, pages 139–144, 2013.
28. O. Laadan and J. Nieh. Transparent checkpoint-restart of multiple processes on commodity operating systems. In USENIX ATC, pages 323–336, 2007.
29. W. S. Labs. Fake input method editor(ime) trojan. http://community.websense.com/blogs/securitylabs/archive/2010/07/05/trojan-using-input-method-inject-technology.aspx.
30. S. Lee, E. L. Wong, D. Goel, M. Dahlin, and V. Shmatikov. πbox: a platform for privacy-preserving apps. In NSDI, 2013.
31. D. Liu, E. Cuervo, V. Pistol, R. Scudellari, and L. P. Cox. Screen-pass: Secure password entry on touchscreen devices. In MobiSys, pages 291–304, 2013.
32. M. Nauman, S. Khan, and X. Zhang. Apex: extending android permission model and enforcement with user-defined runtime constraints. In ASIACCS, pages 328–332, 2010.
33. D. E. Porter, O. S. Hofmann, C. J. Rossbach, A. Benn, and E. Witchel. Operating system transactions. In SOSP, 2009.
34. V. Rastogi, Y. Chen, and W. Enck. Appsplayground: Automatic security analysis of smartphone applications. In ACM conference on Data and application security and privacy, 2013.
35. S. Rosen, Z. Qian, and Z. M. Mao. Appprofiler: a flexible method of exposing privacy-related behavior in android applications to end users. In ACM conference on Data and application security and privacy, pages 221–232. ACM, 2013.
36. M. A. Salehi, T. Caldwell, A. Fernandez, E. Mickiewicz, E. W. Rozier, S. Zonouz, and D. Redberg. Reseed: Regular expression search over encrypted data in the cloud. In CCGrid, 2014.
37. S. Sidiroglou, O. Laadan, A. D. Keromytis, and J. Nieh. Using rescue points to navigate software recovery. In Oakland, 2007.
38. R. Stevens, C. Gibler, J. Crussell, J. Erickson, and H. Chen. Investigating user privacy in android ad libraries. In Workshop on Mobile Security Technologies (MoST), 2012.
39. K. Subramanyam, C. E. Frank, and D. F. Galli. Keyloggers: The overlooked threat to computer security. http://www.keylogger.org/articles/kishoresubramanyam/keyloggers-the-overlooked-threat-to-computersecurity-7.html.
40. TechSpot News. Google fired employees for breaching user privacy. http://www.techspot.com/news/40280-google-fired-employeesfor-breaching-user-privacy.html, 2010.
41. Y. Xia, Y. Liu, and H. Chen. Architecture support for guest-transparent vm protection from untrusted hypervisor and physical attacks. In HPCA, 2013.
42. Y. Xia, Y. Liu, C. Tan, M. Ma, H. Guan, B. Zang, and H. Chen. Tinman: eliminating confidential mobile data exposure with security oriented offloading. In EuroSys, 2015.
43. R. Xu, H. Saïdi, and R. Anderson. Aurasium: Practical policy enforcement for android applications. In USENIX Security, 2012.
44. W. Yang, X. Xiao, B. Andow, S. Li, T. Xie, and W. Enck. App-context: Differentiating malicious and benign mobile app behaviors using context. In ICSE, 2015.
45. B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native client: A sandbox for portable, untrusted x86 native code. Commun. ACM, 53(1):91–99, Jan. 2010.
46. H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: Capturing system-wide information flow for malware detection and analysis. In CCS, 2007.
47. F. Zhang, J. Chen, H. Chen, and B. Zang. Cloudvisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization. In SOSP, 2011.
48. W. Zhou, Y. Zhou, X. Jiang, and P. Ning. Detecting repackaged smartphone applications in third-party android marketplaces. In ACM conference on Data and Application Security and Privacy, pages 317–326. ACM, 2012.
49. Y. Zhou and X. Jiang. Dissecting android malware: Characterization and evolution. In Oakland, 2012.
50. Y. Zhou and X. Jiang. Detecting passive content leaks and pollution in android applications. In NDSS, 2013.
51. Y. Zhou, X. Zhang, X. Jiang, and V. W. Freeh. Taming information-stealing smartphone applications (on android). In Conference on Trust and Trustworthy Computing, 2011.