S-Space College of Engineering/Engineering Practice School (공과대학/대학원) Dept. of Computer Science and Engineering (컴퓨터공학부) Theses (Master's Degree_컴퓨터공학부)
Security Analysis of Secure Virtual Keyboards in Android Mobile Payment Apps
안드로이드 금융앱 보안키패드 분석
- 공과대학 컴퓨터공학부
- Issue Date
- 서울대학교 대학원
- 학위논문 (석사)-- 서울대학교 대학원 : 컴퓨터공학부, 2016. 2. 전병곤.
- Mobile payment applications typically employ extra security measures due to the sensitivity of information that they handle. This paper investigates the security of secure virtual keyboards which are frequently used in South Korea. Unlike numerous studies on Android apps in the past, analyzing payment apps is particularly challenging as they use obfuscation. To overcome these difficulties, we extend TaintDroid to leverage the user interfaces that keyboards use to interact with others. With the tool, we examine how securely these apps handle encrypted user input through secure virtual keyboards. We find that although these apps encrypt user data through a third-party secure virtual keyboard library to protect against memory dumping attack, all the target apps decrypt all the sensitive information using the decryption APIs of secure virtual keyboard libraries, increasing a vulnerability time window. We conclude the paper with a discussion of possible countermeasures.