Five researchers at Duke University have developed ScreenPass, a programme which improves security controls on smartphones by prompting users to add a tag to their passwords and then ‘taint-tracking’ sent and received data flows.
Smartphone users generally have no assurance whatsoever regarding login and password security on the apps they download and use. This was the starting point for a team of researchers working at Duke University, North Carolina, under the aegis of Associate Professor Landon P. Cox to develop a programme capable of securing passwords and warning users of any identity theft attacks. The prototype, called ScreenPass, which has been designed and tested on smartphones, increases security on touchscreen devices by enabling a user to add a ‘tag’ to all passwords. ScreenPass then uses the tag to taint-track the user’s password data as it flows through the app, and can see when password data is stored by the app, where it is sent, and whether an identity theft attack is being carried out.
A tracking app
The service does not function automatically on all a user’s passwords. When s/he sets out to connect to a service via an application, it is up to the individual to add a tag, for example by adding the ‘@’ designation in front of the password, so that the Duke University software can then track the movements of the password in question. ScreenPass then performs dynamic Optical Character Recognition (OCR) on the device’s screenbuffer to ensure the process is carried out properly. If an anomaly is detected during entry of the password, the operating system can, for example, raise an alert to the user or – if an attack is detected – decide to kill the process. If an app attempts to write password data to the network, the software will check security by examining various features. It may be a matter of ensuring that the destination IP address has the appropriate domain name and checking whether the destination port is associated with unencrypted traffic. In any of these cases, if ScreenPass detects an anomaly, the programme will block the process and stop the data being released.
IT security plus user convenience
Having to insert tags into your passwords yourself may sound like a major hassle, as using digital channels ought to imply process automation. However, a study carried out with a test panel showed that tagging passwords imposes very little inconvenience on users. During the first ten days of the study, for an average number of logins, 83% of study participants tagged their passwords, and 89% did so during the second period, giving an average of 86%. ScreenPass also proved its worth when the researchers tested it on 28 apps, all of which had been installed at least 100,000 times. ScreenPass was able to detect that four of the apps that sent passwords over the network sent them to a server controlled by the app’s developer, four of them sent passwords through the network in plaintext and, out of the applications that stored passwords in the file system, four actually saved them in plaintext in the phone’s file system.