Many smartphone apps require users to enter a log on name and a password. But some apps aren’t what they seem and they can capture a user’s information. Duke University researchers have developed a way to stop that.
Duke computer scientist Landon Cox and his team have developed “Screenpass,” a new feature that can be added to the operating system of Android phones to prevent malicious apps from stealing passwords and sending forwarding it to an untrusted server.
“Passwords are a critical glue between mobile apps and remote cloud services,” Cox said in a statement. “The problem right now is that users have no idea what happens to the passwords they give to their apps.”
ScreenPass aims to solve that problem. It offers a special-purpose software keyboard for users to securely enter sensitive text, such as their passwords. An area below the keyboard allows users to tell ScreenPass where they want their text sent, such as Google, Facebook, or Twitter. ScreenPass then tracks a users’ password data as the app runs and notifies the user if an app tries to send a password to the wrong place.
Cox and his team presented ScreenPass at the MobiSys 2013 conference in Taipei on Thursday. Cox’s team plans to make ScreenPass publicly available to continue to improve smartphone password security.