Passwords are highly sensitive data. Have you ever felt hesitant or skeptical when a third-party app asks you to provide passwords for important services such as Facebook, Bank of America, Yahoo messenger, or Dropbox? Once you grant the app with your password, you have no idea how the app handles it or where it is sent. Our research have found a number of third-party apps send user's account information to the app's own server after authentication with the cloud service. We really need better tools to monitor our password usage by third-party apps.
To solve the password security problem, we provide ScreenPass, a secure password entry on mobile touchscreen devices. Users will be ask to associate a secure domain when they input passwords. Password usage by apps will be monitored through taint-tracking and restricted within the secure domain. ScreenPass guarantees the validity of the secure keyboard and prevent spoofing attacks through OCR technique.
SecureIME is the password entry component of ScreenPass. Besides the functions as input method, SecureIME asks the user to associate a secure domain for the password it entries. User can also select a secure domain for any other sensitive or private data actively. We plan to test the usability of the new UI of SecureIME in this study.