![Page 1: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/1.jpg)
Cashtags: Protecting the Input and Display of Sensitive Data
Michael Mitchell, An-I Wang Peter ReiherFlorida State University University of California, Los Angeles
Session: Knock Knock. Who's There? Icy. Icy Who? I See You Too August 14 (Friday) @ 4:30 PM
![Page 2: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/2.jpg)
Overview
• Shoulder surfing is an increasing concern for mobile computing– Users frequently compute in public, risk visual
leaks
• Existing solutions inadequate– Only handle authentication, other threat vectors
• Cashtags permits input and access of sensitive data in public
Introduction Design Implementation Evaluation Conclusion
![Page 3: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/3.jpg)
3
Shoulder Surfing
![Page 4: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/4.jpg)
The Dangers are Everywhere
• Observation-based attacks come in many forms– 3 billion digital camera phones in circulation
• Becoming more capable, 40+ megapixels, 10x+ optical zoom
• Observation-based attacks can be complex– Sophisticated tools to capture user data– OCR solutions cheap & capable
• Exposure can make other attacks possible– Social engineering attacks, phishing, etc.
Introduction Design Implementation Evaluation Conclusion
![Page 5: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/5.jpg)
Observation-resistant Solutions
• Physical barriers
• Wearable technologies
• Graphical/gesture-based
• Hardware/biometrics
Introduction Design Implementation Evaluation Conclusion
![Page 6: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/6.jpg)
Existing Solutions Inadequate
• No general purpose solution exists for protection of any/all sensitive on-screen data– The visual channel remains open
Introduction Design Implementation Evaluation Conclusion
![Page 7: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/7.jpg)
Cashtags
• Cashtags: a system that defends against observation-based attacks– Easy-to-remember aliases for personally
identifiable information (PII)– Alias consists of $ + text• E.g. $visa to represent a 16-digit credit-card number
• Permits access to sensitive data in public –Without the fear of screen leaks
Introduction Design Implementation Evaluation Conclusion
![Page 8: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/8.jpg)
Cashtags
Introduction Design Implementation Evaluation Conclusion
![Page 9: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/9.jpg)
Threat Model
• Passive, observation-based attacks – Direct human observation– Live or recorded video
• Can view screen & key presses from keyboards, keypads, screen, etc.
• Absence of active attack– Observer is not able to influence user
Introduction Design Implementation Evaluation Conclusion
![Page 10: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/10.jpg)
Design Overview
• Interception of sensitive data display• Simple user interface• Access to sensitive data• Data format variants• Deployment model• Per-application behavior
Introduction Design Implementation Evaluation Conclusion
![Page 11: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/11.jpg)
Masking Granularity
• Coarse-grained masking– Mask entire app window or screen– Prevent leaks, also usage
• Data tracking– Fine-grained, predefined masked data, track data
elements through system– Less deployable, high overhead
• Keyword-based approach– Predefined data element masking– Data-tracking benefits without overhead
Introduction Design Implementation Evaluation Conclusion
![Page 12: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/12.jpg)
Where to Intercept Sensitive Data?
Frame Buffer
AppsBrowser
WebKit/Chromium Canvas
GL Surface Canvas
Surface Flinger
WebView GL Widgets & Views
Android API Widgets &Views
Applications
ApplicationFramework
Libraries &Android Runtime
Kernel & Device Drivers
Cashtags Interception
Cashtags Interception?
Cashtags Interception?
Cashtags Interception
![Page 13: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/13.jpg)
User Interface
• Early design– Code words, e.g. Joe John– Separate secure entry keyboard app– Replace default keyboard app
• Direct input of cashtags– Alias pre-pended with $, to represent PII
• Direct input of sensitive data– Support for auto-complete, detects first few letters– Some potential for information leak
Introduction Design Implementation Evaluation Conclusion
![Page 14: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/14.jpg)
14
Additional Cashtags Semantics
• Recursion support– $signature $fname $lname $gmail John Smith,
• Circular mapping prevention– $John $Joe $John $Joe $John ...
• Accounts, SSNs, etc. with different schemes– 123456789; 123-45-6789; 123 45 6789)– Regular expression libraries (java.util.regex.*)
Introduction Design Implementation Evaluation Conclusion
![Page 15: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/15.jpg)
Screen View Decomposition ExampleFrameLayout
TextView EditText
LinearLayout(vertical)
Button
ImageView
LinearLayout(horizontal)
ImageView
TextView EditText
TextView EditText
TextView
…
![Page 16: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/16.jpg)
Xposed Code-injection Framework
• Xposed code-injection intercepts and modifies runtime behavior– Change code without loss of portability
• Individual class methods/constructors hooked– Execute code before, after, or instead of base
function call– Alters function params, or return values– Access control changes
Introduction Design Implementation Evaluation Conclusion
![Page 17: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/17.jpg)
Widgets Intercepted
• Static text– TextView(android.widget.TextView)
• Editable text– EditText (android.widget.EditText)
• Graphical text– GLCanvas(android.view.GLES20Canvas)
• Web text–Webview(android.WebKit/WebView)
Introduction Design Implementation Evaluation Conclusion
![Page 18: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/18.jpg)
Widgets & Android View Hierarchy
Change here
Java inheritance implicitly handles all of these
View
TextView
EditText
AutoCompleteTextView
MultiAutoCompleteTextView
CheckedTextView Button
CheckBox SwitchRadioButton
Introduction Design Implementation Evaluation Conclusion
![Page 19: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/19.jpg)
TextView Behavior/Interception
Graphic canvas, Screen display,
Alternative outputs
Spell-check, autocorrect, copy/paste
services
TextView
Alias text
Actual Text
Current running app, web
uploads, local storage
$Cashtags
getText()
getText()
getText()
![Page 20: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/20.jpg)
EditText Behavior/Interception
Spell-check, autocorrect, copy/paste
services
EditText
Alias text
Actual Text Current running app, web
uploads, local storage
$Cashtags
setText(actual)setText(alias)
setText(actual)setText(alias)
![Page 21: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/21.jpg)
Evaluation
• Display and input accuracy– API coverage evaluation–Market app coverage evaluation
• Performance overhead• Usability overhead
Introduction Design Implementation Evaluation Conclusion
![Page 22: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/22.jpg)
Display & Input Accuracy
• Focus on TextViews & EditTexts• PII chosen based on US gov & NIST standards • Show that PII terms not displayed on-screen– From the app internally– As user input of sensitive data directly– As user input of cashtag alias
• For all cases, show that PII term correctly returned when used internally by the app
Introduction Design Implementation Evaluation Conclusion
![Page 23: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/23.jpg)
Display & Input Accuracy Diagram
Google Docs
Test Cases:Input type(4)
Phrase case(2)Widget type(9)Layout type(2)Theme type(3)Gen method(2)
Lifecycle type(2)
Screenshot & OCR
Only alias?
Only actual?
View Hierarchy Dump
System Input (actual)System Input (alias)User Input (actual)User Input (alias)
Introduction Design Implementation Evaluation Conclusion
![Page 24: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/24.jpg)
Android API Test CombinationsInput phrase type (4): Alphabetic phrase, numeric phrase, alphanumeric phrase, Alphanumeric with symbols.Phrase case (2): Case Sensitive Text, Case In-sensitive Text.Widget type (9): TextView, CheckedTextView, Button, CheckBox, RadioButton, Switch, EditText, AutoCompleteTextView,MultiAutoCompleteTextView
Layout type (2): LinearLayout, RelativeLayout
Theme type (3): Default theme, System theme, User-defined theme.Generation method (2): Static XML, Dynamic JavaLifecycle type (2): Activity-based app lifecycle, Fragment-based app lifecycle
Introduction Design Implementation Evaluation Conclusion
![Page 25: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/25.jpg)
App Coverage Evaluation
• Does Cashtags work with existing apps?• Millions of apps available to thousands of devices– Hard to enumerate all
• Thus, representative subset reasonable to demonstrate Cashtags, selected by:– Popularity (download metrics)– Can contain PII: email, messaging, social media,
storage, office, and finance– Can remotely verify correctness
Introduction Design Implementation Evaluation Conclusion
![Page 26: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/26.jpg)
App Coverage EvaluationUser Input Actual User Input cashtag Remote Success Actual Remote Success cashtag
Email √ √ √ √
Email Gmail √ √ √ √
Yahoo Mail √ √ √ √
Messaging √ √ √ √
Messaging Google Hangouts √ √ √ √
Snapchat √ √ √ √
Facebook √ √ √ √
Social Twitter √ √ √ √
Google+ √ √ √ √
Dropbox √ √ √ √
Storage MS OneDrive √ √ √ √
File Manager √ √ √ √
Google Docs √ √ √ √
Office MS Office Mobile √ √
QuickOffice √ √ √ √
Google Wallet √ √ √ √
Finance Paypal √ √ √ √
Square √ √ √ √
![Page 27: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/27.jpg)
Performance Evaluation
• System overhead (10 $cashtags)–With remote verification, ~2% increase in app
runtime–Without remote upload, ~3%
• Scalability (50, 100 $cashtags)–Within ~10% overhead with 100 entries– Performance degrades linearly with size
Introduction Design Implementation Evaluation Conclusion
![Page 28: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/28.jpg)
Future Work
• Increase coverage– API deviations need case-specific solutions
• Address common name issue– John $fname– Googles for John Adams, John Travolta, or John Williams
• Results $fname Adams, $fname Travolta, or $fname Williams
• Handle more data formats– Field expands across multiple TextViews not recognized,
(e.g., credit card split into parts)– Can be handled by adding each part to Cashtags repository
Introduction Design Implementation Evaluation Conclusion
![Page 29: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/29.jpg)
Handling Business Use Cases
• Cashtags envisioned to protect PII– Not limited to this narrow view, generalizes to
others
• Recursive alias expansions support complex hierarchies
• Simple modifications would permit wildcards– E.g. mask accounts with prefixes, patterns for
SSNs, CCs, etc.
Introduction Design Implementation Evaluation Conclusion
![Page 30: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/30.jpg)
Conclusion
• Cashtags is a first step toward protection against visual leaks of on-screen data
• Feasible to compute in public without exposing sensitive personal data
• System is efficient, maintains full functionality, near universal app compatibility
• Unified, device-wide protection against shoulder surfing threat
Introduction Design Implementation Evaluation Conclusion
![Page 31: Cashtags: Protecting the Input and Display of Sensitive Data Michael Mitchell, An-I Wang Peter Reiher Florida State University University of California,](https://reader036.vdocuments.us/reader036/viewer/2022062423/56649ee05503460f94bf0bca/html5/thumbnails/31.jpg)
Thank You
• This work is sponsored by NSF CNS-1065127. • Opinions, findings, conclusions or recommendations expressed in this
document do not necessarily reflect the views of the NSF, FSU, UCLA, or the U.S. government.
Questions?
Cashtags: Protecting the Input and Display of Sensitive Data
Michael J. [email protected]
Introduction Design Implementation Evaluation Conclusion