Keyboard or keylogger?: A security analysis of third-party keyboards on Android

Junsung Cho; Geumhwan Cho; Hyoungshick Kim

doi:10.1109/PST.2015.7232970

Keyboard or keylogger? A security analysis of third-party keyboards on Android

Junsung Cho
, Geumhwan Cho
, Hyoungshick Kim

Department of Computer Science and Engineering

Sungkyunkwan University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

13 Scopus citations

Abstract

Use of third-party keyboards makes Android more flexible and customizable. However, we demonstrate their potential security risks by implementing a proof-of-concept keylogger that can effectively steal users' sensitive keystrokes with 81 popular websites (out of 100 tested websites). We also empirically analyzed the security behaviors of 139 keyboard applications that were available on Google Play. Our study results show that the majority of existing keyboard applications (84 out of 139) could be potentially misused as malicious keyloggers. To avoid such keylogging attacks, we discuss possible defense mechanisms.

Original language	English
Title of host publication	2015 13th Annual Conference on Privacy, Security and Trust, PST 2015
Editors	Huseyin Hisil, Ali Ghorbani, Joaquin Garcia-Alfaro, Ahmet Koltuksuz, Vincenc Torra, Jie Zhang, Murat Sensoy, Ibrahim Zincir, Ali Miri
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	173-176
Number of pages	4
ISBN (Electronic)	9781467378284
DOIs	https://doi.org/10.1109/PST.2015.7232970
State	Published - 31 Aug 2015
Event	13th Annual Conference on Privacy, Security and Trust, PST 2015 - Izmir, Turkey Duration: 21 Jul 2015 → 23 Jul 2015

Publication series

Name	2015 13th Annual Conference on Privacy, Security and Trust, PST 2015

Conference

Conference	13th Annual Conference on Privacy, Security and Trust, PST 2015
Country/Territory	Turkey
City	Izmir
Period	21/07/15 → 23/07/15

Access to Document

10.1109/PST.2015.7232970

Cite this

Cho, J., Cho, G., & Kim, H. (2015). Keyboard or keylogger? A security analysis of third-party keyboards on Android. In H. Hisil, A. Ghorbani, J. Garcia-Alfaro, A. Koltuksuz, V. Torra, J. Zhang, M. Sensoy, I. Zincir, & A. Miri (Eds.), 2015 13th Annual Conference on Privacy, Security and Trust, PST 2015 (pp. 173-176). Article 7232970 (2015 13th Annual Conference on Privacy, Security and Trust, PST 2015). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/PST.2015.7232970

Cho, Junsung ; Cho, Geumhwan ; Kim, Hyoungshick. / Keyboard or keylogger? A security analysis of third-party keyboards on Android. 2015 13th Annual Conference on Privacy, Security and Trust, PST 2015. editor / Huseyin Hisil ; Ali Ghorbani ; Joaquin Garcia-Alfaro ; Ahmet Koltuksuz ; Vincenc Torra ; Jie Zhang ; Murat Sensoy ; Ibrahim Zincir ; Ali Miri. Institute of Electrical and Electronics Engineers Inc., 2015. pp. 173-176 (2015 13th Annual Conference on Privacy, Security and Trust, PST 2015).

@inproceedings{64ee826a0190495f9585bafcc7025e13,

title = "Keyboard or keylogger?: A security analysis of third-party keyboards on Android",

abstract = "Use of third-party keyboards makes Android more flexible and customizable. However, we demonstrate their potential security risks by implementing a proof-of-concept keylogger that can effectively steal users' sensitive keystrokes with 81 popular websites (out of 100 tested websites). We also empirically analyzed the security behaviors of 139 keyboard applications that were available on Google Play. Our study results show that the majority of existing keyboard applications (84 out of 139) could be potentially misused as malicious keyloggers. To avoid such keylogging attacks, we discuss possible defense mechanisms.",

author = "Junsung Cho and Geumhwan Cho and Hyoungshick Kim",

note = "Publisher Copyright: {\textcopyright} 2015 IEEE.; 13th Annual Conference on Privacy, Security and Trust, PST 2015 ; Conference date: 21-07-2015 Through 23-07-2015",

year = "2015",

month = aug,

day = "31",

doi = "10.1109/PST.2015.7232970",

language = "English",

series = "2015 13th Annual Conference on Privacy, Security and Trust, PST 2015",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "173--176",

editor = "Huseyin Hisil and Ali Ghorbani and Joaquin Garcia-Alfaro and Ahmet Koltuksuz and Vincenc Torra and Jie Zhang and Murat Sensoy and Ibrahim Zincir and Ali Miri",

booktitle = "2015 13th Annual Conference on Privacy, Security and Trust, PST 2015",

}

Cho, J, Cho, G & Kim, H 2015, Keyboard or keylogger? A security analysis of third-party keyboards on Android. in H Hisil, A Ghorbani, J Garcia-Alfaro, A Koltuksuz, V Torra, J Zhang, M Sensoy, I Zincir & A Miri (eds), 2015 13th Annual Conference on Privacy, Security and Trust, PST 2015., 7232970, 2015 13th Annual Conference on Privacy, Security and Trust, PST 2015, Institute of Electrical and Electronics Engineers Inc., pp. 173-176, 13th Annual Conference on Privacy, Security and Trust, PST 2015, Izmir, Turkey, 21/07/15. https://doi.org/10.1109/PST.2015.7232970

Keyboard or keylogger? A security analysis of third-party keyboards on Android. / Cho, Junsung; Cho, Geumhwan; Kim, Hyoungshick.
2015 13th Annual Conference on Privacy, Security and Trust, PST 2015. ed. / Huseyin Hisil; Ali Ghorbani; Joaquin Garcia-Alfaro; Ahmet Koltuksuz; Vincenc Torra; Jie Zhang; Murat Sensoy; Ibrahim Zincir; Ali Miri. Institute of Electrical and Electronics Engineers Inc., 2015. p. 173-176 7232970 (2015 13th Annual Conference on Privacy, Security and Trust, PST 2015).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Keyboard or keylogger?

T2 - 13th Annual Conference on Privacy, Security and Trust, PST 2015

AU - Cho, Junsung

AU - Cho, Geumhwan

AU - Kim, Hyoungshick

PY - 2015/8/31

Y1 - 2015/8/31

N2 - Use of third-party keyboards makes Android more flexible and customizable. However, we demonstrate their potential security risks by implementing a proof-of-concept keylogger that can effectively steal users' sensitive keystrokes with 81 popular websites (out of 100 tested websites). We also empirically analyzed the security behaviors of 139 keyboard applications that were available on Google Play. Our study results show that the majority of existing keyboard applications (84 out of 139) could be potentially misused as malicious keyloggers. To avoid such keylogging attacks, we discuss possible defense mechanisms.

AB - Use of third-party keyboards makes Android more flexible and customizable. However, we demonstrate their potential security risks by implementing a proof-of-concept keylogger that can effectively steal users' sensitive keystrokes with 81 popular websites (out of 100 tested websites). We also empirically analyzed the security behaviors of 139 keyboard applications that were available on Google Play. Our study results show that the majority of existing keyboard applications (84 out of 139) could be potentially misused as malicious keyloggers. To avoid such keylogging attacks, we discuss possible defense mechanisms.

UR - https://www.scopus.com/pages/publications/84958645893

U2 - 10.1109/PST.2015.7232970

DO - 10.1109/PST.2015.7232970

M3 - Conference contribution

AN - SCOPUS:84958645893

T3 - 2015 13th Annual Conference on Privacy, Security and Trust, PST 2015

SP - 173

EP - 176

BT - 2015 13th Annual Conference on Privacy, Security and Trust, PST 2015

A2 - Hisil, Huseyin

A2 - Ghorbani, Ali

A2 - Garcia-Alfaro, Joaquin

A2 - Koltuksuz, Ahmet

A2 - Torra, Vincenc

A2 - Zhang, Jie

A2 - Sensoy, Murat

A2 - Zincir, Ibrahim

A2 - Miri, Ali

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 21 July 2015 through 23 July 2015

ER -

Cho J, Cho G, Kim H. Keyboard or keylogger? A security analysis of third-party keyboards on Android. In Hisil H, Ghorbani A, Garcia-Alfaro J, Koltuksuz A, Torra V, Zhang J, Sensoy M, Zincir I, Miri A, editors, 2015 13th Annual Conference on Privacy, Security and Trust, PST 2015. Institute of Electrical and Electronics Engineers Inc. 2015. p. 173-176. 7232970. (2015 13th Annual Conference on Privacy, Security and Trust, PST 2015). doi: 10.1109/PST.2015.7232970