A Study on Screen Logging Risks of Secure Keyboards of Android Financial Apps

2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER) Pub Date : 2022-03-01 DOI:10.1109/saner53432.2022.00024

Xinyue Liang, Jun Ma

{"title":"A Study on Screen Logging Risks of Secure Keyboards of Android Financial Apps","authors":"Xinyue Liang, Jun Ma","doi":"10.1109/saner53432.2022.00024","DOIUrl":null,"url":null,"abstract":"To ensure the security of users' property, financial applications in particular require special security guarantee. Specially, to prevent the theft of user's passwords, many financial apps provide their secure keyboards. However, password compromise is still possible if the security keyboard is not implemented properly, putting the user's property at risk. In this paper, we focus on investigating secure keyboards of Android financial apps as well as their risks under screenloggers. We conducted a study on 428 financial apps downloaded from Huawei App Store, Google Play, Wandoujia and Xiaomi GetApps. Our study shows that the status of secure keyboard of financial apps is not optimistic. We find that only 161 apps (37.6%) provide app-specific secure keyboard implementations and the keyboards provided by 60 apps are not secure under screenlogger attacks. Specially, the fundamental causes of all studied insecure keyboards can be attributed to the inappropriate settings of the secure flag of the window or surface that renders the secure keyboard or its feedback animation.","PeriodicalId":437520,"journal":{"name":"2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)","volume":"97 8 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-03-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/saner53432.2022.00024","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

Abstract

To ensure the security of users' property, financial applications in particular require special security guarantee. Specially, to prevent the theft of user's passwords, many financial apps provide their secure keyboards. However, password compromise is still possible if the security keyboard is not implemented properly, putting the user's property at risk. In this paper, we focus on investigating secure keyboards of Android financial apps as well as their risks under screenloggers. We conducted a study on 428 financial apps downloaded from Huawei App Store, Google Play, Wandoujia and Xiaomi GetApps. Our study shows that the status of secure keyboard of financial apps is not optimistic. We find that only 161 apps (37.6%) provide app-specific secure keyboard implementations and the keyboards provided by 60 apps are not secure under screenlogger attacks. Specially, the fundamental causes of all studied insecure keyboards can be attributed to the inappropriate settings of the secure flag of the window or surface that renders the secure keyboard or its feedback animation.

查看原文本刊更多论文

Android金融应用安全键盘屏幕记录风险研究

为了保证用户的财产安全，金融应用尤其需要特殊的安全保障。特别是，为了防止用户密码被盗，许多金融应用程序都提供了安全键盘。然而，如果安全键盘没有正确实现，密码泄露仍然是可能的，将用户的财产置于危险之中。本文主要研究Android金融应用的安全键盘，以及它们在屏幕记录器下的风险。我们对从华为应用商店、Google Play、豌豆荚和小米GetApps下载的428款金融应用进行了研究。我们的研究表明，金融应用安全键盘的现状不容乐观。我们发现只有161个应用程序(37.6%)提供了特定于应用程序的安全键盘实现，60个应用程序提供的键盘在屏幕记录器攻击下不安全。特别地，所研究的所有不安全键盘的根本原因都可以归结为呈现安全键盘或其反馈动画的窗口或表面的安全标志设置不当。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)

自引率

0.00%

发文量