Visible to the public IM-Visor: A Pre-IME Guard to Prevent IME Apps from Stealing Sensitive Keystrokes Using TrustZone

TitleIM-Visor: A Pre-IME Guard to Prevent IME Apps from Stealing Sensitive Keystrokes Using TrustZone
Publication TypeConference Paper
Year of Publication2017
AuthorsTian, C., Wang, Y., Liu, P., Zhou, Q., Zhang, C., Xu, Z.
Conference Name2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
ISBN Number978-1-5386-0542-4
KeywordsAndroid (operating system), Android users, Androids, colluding attacks, Human Behavior, human factors, Humanoid robots, IM-visor, innovative TrustZone-based framework, input method editor, Keyboards, keystroke analysis, Metrics, mobile computing, PHA, potentially harmful apps, pre-IME guard, prefix-substitution attack, pubcrawl, Runtime, security, sensitive keystrokes, smart phones, third-party IME, Trusted Computing

Third-party IME (Input Method Editor) apps are often the preference means of interaction for Android users' input. In this paper, we first discuss the insecurity of IME apps, including the Potentially Harmful Apps (PHA) and malicious IME apps, which may leak users' sensitive keystrokes. The current defense system, such as I-BOX, is vulnerable to the prefix-substitution attack and the colluding attack due to the post-IME nature. We provide a deeper understanding that all the designs with the post-IME nature are subject to the prefix-substitution and colluding attacks. To remedy the above post-IME system's flaws, we propose a new idea, pre-IME, which guarantees that "Is this touch event a sensitive keystroke?" analysis will always access user touch events prior to the execution of any IME app code. We designed an innovative TrustZone-based framework named IM-Visor which has the pre-IME nature. Specifically, IM-Visor creates the isolation environment named STIE as soon as a user intends to type on a soft keyboard, then the STIE intercepts, translates and analyzes the user's touch input. If the input is sensitive, the translation of keystrokes will be delivered to user apps through a trusted path. Otherwise, IM-Visor replays non-sensitive keystroke touch events for IME apps or replays non-keystroke touch events for other apps. A prototype of IM-Visor has been implemented and tested with several most popular IMEs. The experimental results show that IM-Visor has small runtime overheads.

Citation Keytian_im-visor:_2017