IM-Visor: A Pre-IME Guard to Prevent IME Apps from Stealing Sensitive Keystrokes Using TrustZone

Tian, Chen; Wang, Yazhe; Liu, Peng; Zhou, Qihui; Zhang, Chengyi; Xu, Zhen

doi:10.1109/dsn.2017.12

Cited by 6 publications

(3 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As the decryption key is stored in the TrustZone environment, data-clone attacks cannot copy the decryption key to another device together with encrypted user credential data, and therefore the server will fail to verify the login credentials. The recent papers, TruApp [38] and IM-Visor [39] explore the feasibility of protecting app integrity and sensitive data with TrustZone, and Rubinov et al's work partitions a critical app automatically for TrustZone [40].…”

Section: III Discussionmentioning

confidence: 99%

App’s Auto-Login Function Security Testing via Android OS-Level Virtualization

Song

Jiang

et al. 2021

2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

Limited by the small keyboard, most mobile apps support the automatic login feature for better user experience. Therefore, users avoid the inconvenience of retyping their ID and password when an app runs in the foreground again. However, this auto-login function can be exploited to launch the so-called "data-clone attack": once the locally-stored, auto-login depended data are cloned by attackers and placed into their own smartphones, attackers can break through the login-device number limit and log in to the victim's account stealthily. A natural countermeasure is to check the consistency of devicespecific attributes. As long as the new device shows different device fingerprints with the previous one, the app will disable the auto-login function and thus prevent data-clone attacks.In this paper, we develop VPDroid, a transparent Android OSlevel virtualization platform tailored for security testing. With VPDroid, security analysts can customize different device artifacts, such as CPU model, Android ID, and phone number, in a virtual phone without user-level API hooking. VPDroid's isolation mechanism ensures that user-mode apps in the virtual phone cannot detect device-specific discrepancies. To assess Android apps' susceptibility to the data-clone attack, we use VPDroid to simulate data-clone attacks with 234 most-downloaded apps. Our experiments on five different virtual phone environmentsshow that VPDroid's device attribute customization can deceive all tested apps that perform device-consistency checks, such as Twitter, WeChat, and PayPal. 19 vendors have confirmed our report as a zero-day vulnerability. Our findings paint a cautionary tale: only enforcing a device-consistency check at client side is still vulnerable to an advanced data-clone attack. I. In t r o d u c t io nWith the prosperous development of the Android system and mobile networks [1], [2], the apps running on Android keep updating constantly to meet the fast-growing demand of smartphone users. In addition to the standard functionalities such as communication and entertainment, apps are now performing various critical tasks such as social networking [3], GPS navigation [4], IoT device remote control [5], and mobile payment [6]. Inevitably large amounts of private data (e.g., user credentials) are stored in the smartphone. Therefore, the

show abstract

Section: III Discussionmentioning

confidence: 99%

App’s Auto-Login Function Security Testing via Android OS-Level Virtualization

Song

Jiang

et al. 2021

2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

show abstract

“…As the decryption key is stored in the Trustzone environment, data-clone attacks cannot copy the decryption key to another device together with the encrypted auto-login depended data, and therefore the server will fail to verify the login credentials. The recent papers, TruApp paper [38] and IM-Visor [39] explore the feasibility of protecting App integrity and sensitive data with TrustZone.…”

Section: Mitigation Discussionmentioning

confidence: 99%

Android Data-Clone Attack via Operating System Customization

et al. 2020

View full text Add to dashboard Cite

To avoid the inconvenience of retyping a user's ID and password, most mobile apps now provide the automatic login feature for a better user experience. To this end, auto-login credential is stored locally on the smartphone. However, such sensitive credential can be stolen by attackers and placed into their smartphones via the well-known credential-clone attack. Then, attackers can imperceptibly log into the victim's account, which causes more devastating and covert losses than merely intercepting the user's password. In this article, we propose a generalized Android credential-clone attack, called data-clone attack. By exploiting the new-found vulnerabilities of original equipment manufacturer (OEM)-made phone clone apps, we design an identity theft method that overcomes the problem of incomplete credential extraction and eliminates the requirement of root authority. To evade the consistency check of device-specific attributes in apps, we design two environment customization methods for app-level and operating system (OS)-level, respectively. Especially, we develop a transparent Android OS customization solution, named CloneDroid, which simulates 101 special attributes of Android OS. We implement a prototype of CloneDroid and the experimental results show that 172 out of 175 most-downloaded apps' accounts can be jeopardized, such as Facebook and WeChat. Moreover, our study has identified 18 confirmed zero-day vulnerabilities. Our findings paint a cautionary tale for the security community that billions of accounts are potentially exposed to Android OS customization-assisted data-clone attacks.

show abstract

“…TrustPay [35] proposed a mobile payment framework on the Trust-Zone platform to protect the display of the user's payment information. IM-Visor [29] and Li et al [19] protected the users' inputs by capturing the users' sensitive keystrokes inside the secure world. Dmitrienko et al [14] proposed a security architecture for the protection of electronic health records and authentication credentials used to access e-health services.…”

Section: Related Workmentioning

confidence: 99%

TruZ-View

Ying¹,

Thavai

2019

Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy

View full text Add to dashboard Cite

When OS and hypervisor are compromised, mobile devices currently provide a hardware protected mode called Trusted Execution Environment (TEE) to guarantee the confidentiality and integrity of the User Interface (UI). The present TEE UI solutions adopt a self-contained design model, which provides a fully functional UI stack in the TEE, but they fail to manage one critical design principle of TEE: a small Trusted Computing Base (TCB), which should be more easily verified in comparison to a rich OS. The TCB size of the self-contained model is large as a result of the size of an individual UI stack. To reduce the TCB size of the TEE UI solution, we proposed a novel TEE UI design model called delegation model. To be specific, our design reuses the majority of the rich OS UI stack. Unlike the existing UI solutions protecting 3-dimensional UI processing in the TEE, our design protects the UI solely as a 2-dimensional surface and thus reduces the TCB size. Our system, called TruZ-View, allows application developers to use the rich OS UI development environment to develop TEE UI with consistent UI looks across the TEE and the rich OS. We successfully implemented our design on HiKey board. Moreover, we developed several TEE UI use cases to protect the confidentiality and integrity of UI. We performed a thorough security analysis to prove the security of the delegation UI model. Our real-world application evaluation shows that developers can leverage our TEE UI with few changes to the existing app's UI logic.

show abstract

IM-Visor: A Pre-IME Guard to Prevent IME Apps from Stealing Sensitive Keystrokes Using TrustZone

Cited by 6 publications

References 15 publications

App’s Auto-Login Function Security Testing via Android OS-Level Virtualization

App’s Auto-Login Function Security Testing via Android OS-Level Virtualization

Android Data-Clone Attack via Operating System Customization

TruZ-View

Contact Info

Product

Resources

About