Security Analysis of Secure Virtual Keyboards in Android Mobile Payment Apps

Abstract

Mobile payment applications typically employ extra security measures due to the sensitivity of information that they handle. This paper investigates the security of secure virtual keyboards which are frequently used in South Korea. Unlike numerous studies on Android apps in the past, analyzing payment apps is particularly challenging as they use obfuscation. To overcome these difficulties, we extend TaintDroid to leverage the user interfaces that keyboards use to interact with others. With the tool, we examine how securely these apps handle encrypted user input through secure virtual keyboards. We find that although these apps encrypt user data through a third-party secure virtual keyboard library to protect against memory dumping attack, all the target apps decrypt all the sensitive information using the decryption APIs of secure virtual keyboard libraries, increasing a vulnerability time window. We conclude the paper with a discussion of possible countermeasures.