skip to main content
10.1145/2639108.2639141acmconferencesArticle/Chapter ViewAbstractPublication PagesmobicomConference Proceedingsconference-collections
research-article

Itus: an implicit authentication framework for android

Published: 07 September 2014 Publication History

Abstract

Security and usability issues with pass-locks on mobile devices have prompted researchers to develop implicit authentication (IA) schemes, which continuously and transparently authenticate users using behavioural biometrics. Contemporary IA schemes proposed by the research community are challenging to deploy, and there is a need for a framework that supports: different behavioural classifiers, given that different apps have different requirements; app developers using IA without becoming domain experts; and real-time classification on resource-constrained mobile devices. We present Itus, an IA framework for Android that allows the research community to improve IA schemes incrementally, while allowing app developers to adopt these improvements at their own pace.
We describe the Itus framework and how it provides: ease of use: Itus allows app developers to use IA by changing as few as two lines of their existing code - on the other hand, Itus provides an oracle capable of making advanced recommendations should developers wish to fine-tune the classifiers; flexibility: developers can deploy Itus in an application-specific manner, adapting to their unique needs; extensibility: researchers can contribute new behavioural features and classifiers without worrying about deployment particulars; low performance overhead: Itus operates with minimal performance overhead, allowing app developers to deploy it without compromising end-user experience. These goals are accomplished with an API allowing individual stakeholders to incrementally improve Itus without re-engineering new systems. We implement Itus in two demo apps and measure its performance impact. To our knowledge, Itus is the first open-source extensible IA framework for Android that can be deployed off-the-shelf.

References

[1]
Android Authority. Android jelly bean face unlock liveness check easily hacked with photo editing. http://www.androidauthority.com/android-jelly-bean-face-unlock-blink-hacking-105556/, Mar. 2014.
[2]
Android Tools. Application exerciser monkey. http://developer.android.com/tools/help/monkey.html, Mar. 2014.
[3]
A. J. Aviv, K. Gibson, E. Mossop, M. Blaze, and J. M. Smith. Smudge attacks on smartphone touch screens. In Usenix Workshop on Offensive Technologies. Usenix, 2010.
[4]
N. Ben-Asher, N. Kirschnick, H. Sieger, J. Meyer, A. Ben-Oved, and S. Möller. On the need for different security methods on mobile phones. In Proceedings of the 13th International Conference on Human Computer Interaction with Mobile Devices and Services, pages 465--473. ACM, 2011.
[5]
C. Bo, L. Zhang, X.-Y. Li, Q. Huang, and Y. Wang. Silentsense: silent user identification via touch and movement behavioral biometrics. In Proceedings of the 19th Annual International Conference on Mobile Computing & Networking, pages 187--190. ACM, 2013.
[6]
C.-C. Chang and C.-J. Lin. Libsvm: a library for support vector machines. ACM Transactions on Intelligent Systems and Technology, 2(3):27, 2011.
[7]
N. Clarke, S. Karatzouni, and S. Furnell. Flexible and transparent user authentication for mobile devices. In Emerging Challenges for Security, Privacy and Trust, pages 1--12. Springer, 2009.
[8]
N. L. Clarke and S. Furnell. Authenticating mobile phone users using keystroke analysis. International Journal of Information Security, 6(1):1--14, 2007.
[9]
H. Crawford, K. Renaud, and T. Storer. A framework for continuous, transparent mobile device authentication. Computers & Security, 39:127--136, 2013.
[10]
A. De Luca, A. Hang, F. Brudy, C. Lindner, and H. Hussmann. Touch me once and i know it's you!: implicit authentication based on touch screen patterns. In Proceedings of the 2012 ACM Annual Conference on Human Factors in Computing Systems, pages 987--996. ACM, 2012.
[11]
T. Feng, J. Yang, Z. Yan, E. M. Tapia, and W. Shi. Tips: Context-aware implicit user identification using touch screen in uncontrolled environments. In Proceedings of the 15th Workshop on Mobile Computing Systems and Applications. ACM, 2014.
[12]
T. Feng, X. Zhao, B. Carbunar, and W. Shi. Continuous mobile authentication using virtual key yping biometrics. In 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, pages 1547--1552. IEEE, 2013.
[13]
J. Frank, S. Mannor, and D. Precup. Activity and gait recognition with time-delay embeddings. In AAAI Conference on Artificial Intelligence, 2010.
[14]
M. Frank, R. Biedert, E. Ma, I. Martinovic, and D. Song. Touchalytics: On the applicability of touchscreen input as a behavioral biometric for continuous authentication. IEEE Transactions on Information Forensics and Security, 8(1):136--148, 2013.
[15]
D. Gafurov, K. Helkala, and T. Søndrol. Biometric gait authentication using accelerometer sensor. Journal of Computers, 1(7):51--59, 2006.
[16]
Google Play. Google play install stats. http://developer.android.com/about/dashboards/index.html, Mar. 2014.
[17]
A. Gupta, M. Miettinen, N. Asokan, and M. Nagy. Intuitive security policy configuration in mobile devices using context profiling. In International Conference on Social Computing, Privacy, Security, Risk and Trust, pages 471--480. IEEE, 2012.
[18]
E. Hayashi, S. Das, S. Amini, J. Hong, and I. Oakley. Casa: context-aware scalable authentication. In Proceedings of the Ninth Symposium on Usable Privacy and Security, page 3. ACM, 2013.
[19]
E. Hayashi, O. Riva, K. Strauss, A. Brush, and S. Schechter. Goldilocks and the two mobile devices: going beyond all-or-nothing access to a device's applications. In Proceedings of the Eighth Symposium on Usable Privacy and Security, page 2. ACM, 2012.
[20]
S.-s. Hwang, S. Cho, and S. Park. Keystroke dynamics-based authentication for mobile devices. Computers & Security, 28(1):85--93, 2009.
[21]
A. Kalamandeen, A. Scannell, E. de Lara, A. Sheth, and A. LaMarca. Ensemble: cooperative proximity-based authentication. In Proceedings of the 8th International Conference on Mobile Systems, Applications, and Services, pages 331--344. ACM, 2010.
[22]
H. Khan and U. Hengartner. Towards application-centric implicit authentication on smartphones. In Proceedings of the 15th Workshop on Mobile Computing Systems and Applications. ACM, 2014.
[23]
L. Li, X. Zhao, and G. Xue. Unobservable reauthentication for smart phones. In Proceedings of the 20th Network and Distributed System Security Symposium, volume 13, 2013.
[24]
Lookout Blog. Sprint and lookout consumer mobile behavior survey. http://blog.lookout.com/blog/2013/10/21/sprint-and-lookout-survey/, Mar. 2014.
[25]
H. Lu, W. Pan, N. D. Lane, T. Choudhury, and A. T. Campbell. Soundsense: scalable sound sensing for people-centric applications on mobile phones. In Proceedings of the 7th International Conference on Mobile Systems, Applications, and Services, pages 165--178. ACM, 2009.
[26]
H. Lu, J. Yang, Z. Liu, N. D. Lane, T. Choudhury, and A. T. Campbell. The jigsaw continuous sensing engine for mobile phone applications. In Proceedings of the 8th ACM Conference on Embedded Networked Sensor Systems, pages 71--84. ACM, 2010.
[27]
E. Maiorana, P. Campisi, N. González-Carballo, and A. Neri. Keystroke dynamics authentication for mobile phones. In Proceedings of the 2011 ACM Symposium on Applied Computing, pages 21--26. ACM, 2011.
[28]
S. Mare, A. Molina-Markham, C. Cornelius, R. Peterson, and D. Kotz. Zebra: Zero-effort bilateral recurring authentication. In IEEE Symposium on Security and Privacy. IEEE, 2014.
[29]
O. Riva, C. Qin, K. Strauss, and D. Lymberopoulos. Progressive authentication: deciding when to authenticate on mobile phones. In Proceedings of the 21st USENIX Security Symposium, 2012.
[30]
A. Serwadda and V. V. Phoha. When kids' toys breach mobile phone security. In Proceedings of the 2013 ACM SIGSAC conference on Computer & Communications Security, pages 599--610. ACM, 2013.
[31]
A. Serwadda, V. V. Phoha, and Z. Wang. Which verifiers work?: A benchmark evaluation of touch-based authentication algorithms. In IEEE Sixth International Conference on Biometrics: Theory, Applications and Systems, pages 1--8. IEEE, 2013.
[32]
A. Shabtai, U. Kanonov, and Y. Elovici. Intrusion detection for mobile devices using the knowledge-based, temporal abstraction method. Journal of Systems and Software, 83(8):1524--1537, 2010.
[33]
M. Shahzad, A. X. Liu, and A. Samuel. Secure unlocking of mobile touch screen devices by simple gestures: you can see it but you can not do it. In Proceedings of the 19th Annual International Conference on Mobile Computing & Networking, pages 39--50. ACM, 2013.
[34]
E. Shi, Y. Niu, M. Jakobsson, and R. Chow. Implicit authentication through learning user behavior. In Information Security, pages 99--113. Springer, 2011.
[35]
B. Shrestha, N. Saxena, H. T. T. Truong, and N. Asokan. Drone to the rescue: Relay-resilient authentication using ambient multi-sensing. In Proc. Eighteenth International Conference on Financial Cryptography and Data Security, 2014.
[36]
P. Steiner. Going beyond mobile device management. Computer Fraud & Security, 2014(4):19--20, 2014.
[37]
A. Striegel, S. Liu, L. Meng, C. Poellabauer, D. Hachen, and O. Lizardo. Lessons learned from the netsense smartphone study. SIGCOMM Computer Communication Review, 43(4):51--56, Aug. 2013.
[38]
A. Studer and A. Perrig. Mobile user location-specific encryption (mule): using your office as your password. In Proceedings of the Third ACM Conference on Wireless Network Security, pages 151--162. ACM, 2010.
[39]
Threatpost. Lock screen bypass flaw found in samsung androids. http://threatpost.com/lock-screen-bypass-flaw-found-samsung-androids-030413/77580, Mar. 2014.
[40]
S. Zahid, M. Shahzad, S. A. Khayam, and M. Farooq. Keystroke-based user identification on smart phones. In Recent Advances in Intrusion Detection, pages 224--243. Springer, 2009.
[41]
Zdnet. Apple iphone fingerprint reader confirmed as easy to hack. http://www.zdnet.com/apple-iphone-fingerprint-reader-confirmed-as-easy-to-hack-7000021065/, Mar. 2014.
[42]
L. Zhang, B. Tiwana, Z. Qian, Z. Wang, R. P. Dick, Z. M. Mao, and L. Yang. Accurate online power estimation and automatic battery behavior based power model generation for smartphones. In Proceedings of the eighth IEEE/ACM/IFIP International Conference on Hardware/Software Codesign and System Synthesis, pages 105--114. ACM, 2010.

Cited By

View all
  • (2025)Normalizing flow-based latent space mapping for implicit pattern authentication on mobile devicesApplied Soft Computing10.1016/j.asoc.2024.112469169(112469)Online publication date: Jan-2025
  • (2024)MRAAC: A Multi-stage Risk-aware Adaptive Authentication and Access Control Framework for AndroidACM Transactions on Privacy and Security10.1145/364837227:2(1-30)Online publication date: 15-Feb-2024
  • (2024)FaceFinger: Embracing Variance for Heartbeat Based Symmetric Key Generation SystemIEEE Transactions on Mobile Computing10.1109/TMC.2024.344026323:12(14218-14232)Online publication date: Dec-2024
  • Show More Cited By

Index Terms

  1. Itus: an implicit authentication framework for android

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      MobiCom '14: Proceedings of the 20th annual international conference on Mobile computing and networking
      September 2014
      650 pages
      ISBN:9781450327831
      DOI:10.1145/2639108
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 07 September 2014

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. behavioural biometrics
      2. implicit authentication
      3. security

      Qualifiers

      • Research-article

      Funding Sources

      Conference

      MobiCom'14
      Sponsor:

      Acceptance Rates

      MobiCom '14 Paper Acceptance Rate 36 of 220 submissions, 16%;
      Overall Acceptance Rate 440 of 2,972 submissions, 15%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)39
      • Downloads (Last 6 weeks)1
      Reflects downloads up to 14 Jan 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2025)Normalizing flow-based latent space mapping for implicit pattern authentication on mobile devicesApplied Soft Computing10.1016/j.asoc.2024.112469169(112469)Online publication date: Jan-2025
      • (2024)MRAAC: A Multi-stage Risk-aware Adaptive Authentication and Access Control Framework for AndroidACM Transactions on Privacy and Security10.1145/364837227:2(1-30)Online publication date: 15-Feb-2024
      • (2024)FaceFinger: Embracing Variance for Heartbeat Based Symmetric Key Generation SystemIEEE Transactions on Mobile Computing10.1109/TMC.2024.344026323:12(14218-14232)Online publication date: Dec-2024
      • (2024)SHRIMPS: A framework for evaluating multi-user, multi-modal implicit authentication systemsComputers & Security10.1016/j.cose.2023.103594137(103594)Online publication date: Feb-2024
      • (2024)Towards Automated Creation of Adaptive Continuous Authentication Systems for Telework ScenariosHCI International 2024 Posters10.1007/978-3-031-61963-2_1(3-12)Online publication date: 8-Jun-2024
      • (2023)WavoID: Robust and Secure Multi-modal User Identification via mmWave-voice MechanismProceedings of the 36th Annual ACM Symposium on User Interface Software and Technology10.1145/3586183.3606775(1-15)Online publication date: 29-Oct-2023
      • (2023)BubbleMap: Privilege Mapping for Behavior-Based Implicit Authentication SystemsIEEE Transactions on Mobile Computing10.1109/TMC.2022.316645422:8(4548-4562)Online publication date: 1-Aug-2023
      • (2023)A Framework for Behavioral Biometric Authentication Using Deep Metric Learning on Mobile DevicesIEEE Transactions on Mobile Computing10.1109/TMC.2021.307260822:1(19-36)Online publication date: 1-Jan-2023
      • (2023)Considerations and ChallengesContinuous Biometric Authentication Systems10.1007/978-3-031-49071-2_5(105-116)Online publication date: 29-Oct-2023
      • (2022)Sharing without scaringProceedings of the Eighteenth USENIX Conference on Usable Privacy and Security10.5555/3563609.3563645(671-685)Online publication date: 8-Aug-2022
      • Show More Cited By

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      EPUB

      View this article in ePub.

      ePub

      Media

      Figures

      Other

      Tables

      Share

      Share

      Share this Publication link

      Share on social media