ABSTRACT
Mobile apps increasingly require users to login to remote services such as Facebook and Twitter. Unfortunately, today's mobile platforms provide weak protection for login credentials such as passwords. To address this problem, we introduce the idea of an attested login and an embodiment of this idea called VeriUI. Attested login augments user credentials with a certificate describing the software and hardware that handled the credentials. Experiments with a VeriUI prototype found that it avoids the sluggish responsiveness of a thin-client approach, while a small app study indicates that VeriUI would require minor changes to existing apps.
- Oauth 2.0.Google Scholar
- Openssl: The open source toolkit for ssl/tls.Google Scholar
- Qt project.Google Scholar
- Qt web - portable web browser.Google Scholar
- Tpm.Google Scholar
- U-boot - the universal boot loader.Google Scholar
- A. Czeskis, M. Dietz, T. Kohno, D. Wallach, and D. Balfanz. Strengthening user authentication through opportunistic cryptographic identity assertions. In CCS, 2012. Google ScholarDigital Library
- C. Herley and P. C. van Oorschot. A research agenda acknowledging the persistence of passwords. IEEE Security & Privacy, 10(1), 2012. Google ScholarDigital Library
- X. Jiang. Smishing vulnerability in multiple android platforms. http://csc.ncsu.edu/jiang/smishing.html.Google Scholar
- D. Liu, E. Cuervo, V. Pistol, R. Scudellari, and L. P. Cox. Screenpass: Secure password entry on touchscreen devices. In MobiSys, 2013. Google ScholarDigital Library
- H. Liu, S. Saroiu, A. Wolman, and H. Raj. Software abstractions for trusted sensors. In MobiSys, 2012. Google ScholarDigital Library
- L. Martignoni, P. Poosankam, M. Zaharia, J. Han, S. McCamant, D. Song, V. Paxson, A. Perrig, S. Shenker, and I. Stoica. Cloud terminal: secure access to sensitive applications from untrusted systems. In USENIX ATC, 2012. Google ScholarDigital Library
- J. M. McCune, B. J. Parno, A. Perrig, M. K. Reiter, and H. Isozaki. Flicker: An execution infrastructure for tcb minimization. In Operating Systems Review, volume 42. ACM, 2008. Google ScholarDigital Library
- N. Santos, H. Raj, S. Saroiu, and A. Wolman. Trusted language runtime (tlr): enabling trusted applications on smartphones. In HotMobile. ACM, 2011. Google ScholarDigital Library
- I. Security. New android trojan can thwart two-factor authentication, May 2013. http://www.infosecurity-magazine.com/.Google Scholar
- A. S. Technology. Building a secure system using trustzone technology.Google Scholar
- R. van Rijswijk-Deij and E. Poll. Using Trusted Execution Environments in Two-factor Authentication: comparing approaches. In Open Identity Summit, volume 223 of Lecture Notes in Informatics, LNI, pages 20--31. Springer, 2013.Google Scholar
- Y. Zhou and X. Jiang. Dissecting Android malware: Characterization and evolution. In IEEE Security and Privacy, 2012. Google ScholarDigital Library
Index Terms
- VeriUI: attested login for mobile devices
Recommendations
Light-SPD: a platform to prototype secure mobile applications
PAMCO '16: Proceedings of the 1st ACM Workshop on Privacy-Aware Mobile ComputingSecurely storing sensitive personal data is critical for protecting privacy. Currently, many persons use smartphones to store their private data. However, smartphones suffer from many security issues. To overcome this situation, the PCAS project is ...
Contemporary Issues in Handheld Computing Research
Mobile phones have become ubiquitous in today's society. However, mobile users are no longer satisfied with simple phones but instead expect ever more powerful functions to be available from their mobile devices. Advanced phones known as smartphones ...
SSL/TLS session-aware user authentication revisited
Man-in-the-middle (MITM) attacks pose a serious threat to SSL/TLS-based e-commerce applications. In Oppliger R, Hauser R, Basin D [SSL/TLS session-aware user authentication - or how to effectively thwart the man-in-the-middle. Computer Communications ...
Comments