RIK: a Virtual Keyboard Resilient to Spyware in Smartphones

2014 IEEE International Conference on Consumer Electronics (ICCE)

RIK: A Virtual Keyboard Resili ent to Spyware in Smartphones

Sarang Na, Student member, IEEE, and Taekyoung Kwon, Member, IEEE Yonsei University, Seoul, 120-749, Korea {no.1.nasa, taekyoung}@yonsei.ac.kr

Abstract--Recently, malware has been dramatically increasing on smartphones. Particularly, spyware is a great concern regarding privacy. In this paper, we propose a new virtual keyboard called RIK, to prevent spyware from stealing users’ sensitive information, such as a password, entered on a user interface.

I. INTRODUCTION Due to the performance improvement of smartphones, the number of smartphone users has been increased explosively. Fig 1. Touch events occurred by the user on the virtual keyboard in an Also, various services have been available on the smartphones, Android smartphone. (a) The entered character is ‘d’. (b) The entered including the services that have been used in PC platforms; character is ‘b’. e.g., messenger, Internet banking. However, threats of II. RELATED WORK malware such as spyware are increasingly growing at the same time. In particular, the features of smartphones, mobility and A number of authentication methods have been proposed to openness, have made malware installed more easily through protect password entry from spyware attacks. There are various infection channels. Spyware is malicious software that methods [1, 5] designed to resist spyware based on screenshot collects information of person or organization in the capture. However, they are still vulnerable to attackers capable computing systems. It may send the collected to the third party of successive screenshots. Another method [2] attempted without users’ consent. Once spyware is installed, it is difficult indirectly input using temporary passwords. However, it was for anti-virus programs to detect and remove it [6]. Thus, also vulnerable because attackers can infer real passwords by spyware can record users’ data consistently in the background. analyzing multiple authentication sessions. For example, there are keyloggers that intercept data entered by the user. They can collect data from I/O devices, e.g., III. ROLLING IMAGE VIRTUAL KEYBOARD keystrokes, mouse events, touch events, and screenshots. Most smartphones generally offer a virtual keyboard that Sometimes applications and web sites require users to input smartphone users can type characters by touching target keys personal information to utilize their services. This information on a small touchscreen. The virtual keyboard does not provide is sent to the server through secure channels established by keystrokes but it has touch events and screenshots. For this SSL (Secure Socket Layer) and stored in the encrypted form. reason, an attacker can have a chance to gather personal data However, if spyware was already installed, an attacker can from them. To solve the problem, we consider a design of intercept the information when a user enters it. To deal with dynamic keyboard layouts and input interfaces using dragging this problem, Internet banking systems have provided secure actions instead of direct touch actions. Our design does not virtual keyboards such as a random space keyboard, and provide any clues about the entered keys, even if spyware various authentication methods. However, it is possible for captures screenshots of the keyboard layout. In addition, the spyware to identify which keys have been entered by users do not directly touch the target keys by mistake when analyzing coordinates of touch events on the virtual keyboards, they move the keyboard layout. as illustrated in Fig. 1. Furthermore, spyware can also infer the A. Concept entered keys using motion sensors [3]. In this paper, we propose RIK (Rolling Image virtual In RIK system, each key has an alphanumeric character and Keyboard), a novel password entry method resistant to a rolling dynamic image. The dynamic image is used to spyware that exploits touch events and successive screenshots generate indicators that consist of a real indicator and 35 fake in smartphone environments. indicators. Among them, only the real indicator has a different direction from left to right or clockwise (fake indicators - from right to left or counterclockwise) and is used to enter This work was partly supported by the IT R&D program of MSIP/KEIT characters. Each dynamic image has a different starting [10039180, Intuitive, convenient and secure HCI-based usable security technologies for mobile authentication and security enhancement in mobile position and rotation time within the certain range of key to computing environments] and the MSIP (Ministry of Science, ICT&Future hide the location of the real indicator from spyware. Planning), Korea, under the ITRC (Information Technology Research Center) support program (NIPA-2013-H0301-13-1003) supervised by the NIPA (National IT Industry Promotion Agency).

B. Keyboard layout password types (F(1, 7) = 0.07, n.s.). There was no failed The keyboard layout consists of a text layout and an image session for each method. For the standard keyboard, one layout. Both layouts are overlapped in the same position backspace event only occurred in each password type. where the text layout is located above the image layout, as B. Security Evaluation illustrated in Fig. 2. The text layout including 36 alphanumeric We analyze security of the RIK method using Ashot characters (10 digits and 26 alphabets) is a movable skin-type (Android Screenshots and Screen Capture) [7] software tool. layout [4]. The image layout including 36 indicators has the We captured the screenshots of RIK for an authentication fixed location in the keyboard layout. We use the keyboard session per second and could get maximum four images (three layout similar to QEWRTY layout but we can also use ABC images for dragging, one image for dropping) for entering one layout for users who type texts with one hand. character. Fig. 3 shows examples of real time screenshots. C. Input interface Although we could find rotation patterns in part, it is RIK uses dragging and dropping actions for moving and impossible to distinguish the rotation direction of indicators releasing the text layout, respectively. Users can enter their and the location of the real indicator, since the indicators had passwords with the control pad by matching the location of the different moving time and starting positions. Thus, we failed real indicator and the text. The control pad that is smaller than to identify the typed character. the keyboard layout is used to move the text layout to prevent users from directly dragging the target keys. Therefore, spyware is unable to know neither which one is a real indicator nor which character is typed.

Fig 3. Examples of screenshots: a stack of rolling images on the keyboard. (The real indicator is ‘r’ and the entered character is ‘h’.) Fig 2. Keyboard layout and input interface of the RIK method. (The real indicator is ‘r’ and the entered character is ‘h’.) V. CONCLUSION

IV. USABILITY AND SECURITY ANALYSIS The RIK method is a novel password input method designed to prevent spyware from stealing users’ passwords. We implemented the prototype systems of a standard We will improve its usability and describe more details of the keyboard and RIK on the Galaxy Nexus smartphone to user experiments in the full paper. Also, we will conduct more conduct the experiments of usability and security. sophisticated security analysis against high-performance A. Usability Evaluation spyware attacks. We conducted the user experiments of a standard keyboard and RIK. We recruited 8 participants (5 males, 3 females) REFERENCE whose average age was 27.5 years. They were assigned the [1] M. Agarwal, M. Mehra, R. Pawar, and D. Shah, "Secure Authentication two methods in random sequences. We gave the participants using Dynamic Virtual Keyboard Layout," In Proc. of ICWET’11, pp. 288-291, 2011. the instructions of each system and a training phase to enter [2] X. Bai, W. Gu, S. Chellappan, X. Wang, D. Xuan, and B. Ma, "PAS: the particular password, “abcd1234”, three times in the Predicate-based Authentication Services Against Powerful Passive respective methods. In the real test, we asked participants to Adversaries," In Proc. of IEEE Annual Computer Security Applications Conference, pp. 433-442, 2008. type two kinds of 8 alphanumeric passwords, random [3] L. Cai and H. Chen, "TouchLogger: Inferring Keystrokes On Touch passwords and user-chosen passwords, for each session of Screen From Smartphone Motion," In Proc. of HotSec’11, 2011. practice and test. The average entry time for standard [4] T. Kwon, S. Na, and S. Park, "Drag-and-Type: A New Method for Typing with Virtual Keyboards on Small Touchscreens," In Proc. of keyboard was 5.763 sec (sd: 0.796) with random passwords IEEE ICCE, pp. 460-461, 2013. and 5.652 sec (sd: 1.298) with user-chosen passwords, and for [5] J. Lim, "Defeat Spyware With Anti-Screen Capture Technology Using RIK it was 20.825 sec (sd: 4.159) with random passwords and Visual Persistence," In Proc. of SOUPS, pp. 147-148, 2007. [6] FTC (Federal Trade Commission), "Monitoring Software on Your PC: 21.279 sec (sd: 3.191) with user-chosen passwords. In 2 x 2 Spyware, Adware, and Other Software." Staff Report, Federal Trade Repeated Measures-ANOVA, there was a significant main Commission, 2005. effect for the two entry methods (F(1, 7) = 226.943, p < 0.001). [7] Ashot – http://sourceforge.net/projects/ashot/ However, there was no significant main effect for two