We just posted our upcoming paper on ScreenPass, which will be presented at MobiSys ’13 in June. My group has been thinking about the problem of securing passwords on mobile devices a lot lately, and we think that ScreenPass is a big part of the solution.

Passwords are a critical glue between mobile apps and remote cloud services, and nearly all of the apps that I install ask for one or more passwords. Many people would like us to move beyond password-based authentication, but I doubt that this will happen anytime soon. Given how important and sensitive passwords are, it shouldn’t be a surprise that researchers have already found at least one malicious, password-stealing app in the wild (a very convincing fake NetFlix app). I suspect that we will see more of these kinds of attacks in the future.

The problem is that, right now, I have no idea what happens to the passwords I give to my apps. I’d like to know that if I give my Facebook password to an app, the data will only be sent to Facebook servers. Taint-tracking password data is almost certainly a big part of the solution, but secure password entry is also crucial. This is because password data can’t be tracked unless it is tagged by the operating system beforehand. If a malicious app can trick a user into inputting their password without the operating system’s knowledge, then there is no way for the OS to guarantee that my Facebook password is sent to only Facebook. This is where ScreenPass comes in.

ScreenPass guarantees that whenever a user enters her password, she can always (1) tell the operating system where it should be sent, and (2) know where the operating system thinks it should be sent. We provide these guarantees by ensuring that only a trusted software keyboard handles text input. In particular, ScreenPass performs optical character recognition (OCR) on the display at runtime to detect malicious apps that try to spoof the trusted software keyboard. ScreenPass is unique in that it is the first secure user interface to regulate what an app is allowed to write to the display (instead of regulating only where it can write on the display). There are many more details in the paper, including our ScreenPass prototype’s usability and energy overheads, as well as the results of a small app study (spoiler alert: we found a handful of non-malicious apps that send passwords to places you might not expect, and we easily detected the fake NetFlix app).

ScreenPass took several years to develop; we had a number of false starts early on, and it took a long time to put together a convincing evaluation. However, I’m very happy with the final paper, and am looking forward to presenting our work in Taipei in June!

We were really happy when we learned that our paper on YouProve had been accepted to SenSys 2011. YouProve is follow-up work to our HotMobile ’10 position paper on using trusted hardware (i.e., TPMs) to help participatory sensing services verify the authenticity of audio and photos collected from anonymous mobile devices. In other words, if you are building a service that uses photos and other media captured by anonymous mobile phone users, how can you know that the data you receive is authentic? How do you know that it hasn’t been invented or spoofed?

Even if you have secure hardware, there are a number of thorny issues that make these questions hard to answer, including user privacy, developer flexibility, legacy apps, users’ app choice, and devices’ limited bandwidth and battery power. YouProve is not a silver bullet, but we think it is a good start and hope that more people will work on this very important problem. Please drop me an email if you have any feedback.

I would also like to mention that one of the best things about this paper is that it has three undergraduate co-authors: Kyungmin (Jason) Lee, Henry Qin, and DJ Sharkey. We have excellent CS students at Duke, and you should definitely be trying to recruit them to your company or grad school.

In any case, the rest of the SenSys program looks great too, and I hope to see you in Seattle in November.