GuarDroid: A Trusted Path for Password Entry

Tianhao Tong and David Evans
Moble Security Technologies (MoST)
San Francisco, CA
23 May 2013

Abstract

Sensitive online transactions are now frequently executed using smartphone clients. Whereas users of personal computers execute these transactions in a browser, smartphone users tend to use installed apps. These apps use username and password pairs as the primary authentication method and may come from untrusted parties, opening users up to attacks that steal user's passwords. We present GuarDroid, a system that protects user's password from untrusted apps. The key idea is to prevent apps from seeing passwords directly and establishing a trusted path between the user and the service that leverages the smartphone operating system as a trusted computing base. Our system does not require any modifications to existing apps or services, while still providing users with high assurances that they are not providing sensitive passwords to a rogue app.

Paper

Full paper (10 pages): [PDF]
Project Site: GuarDroid.net
David Evans
University of Virginia
Department of Computer Science
 evans@virginia.edu