Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Proof-of-Concept Android Trojan Uses Motion Sensors To Steal Passwords

Soulskill posted more than 2 years ago | from the for-when-normal-keylogging-is-just-too-precise dept.

Android 105

judgecorp writes "TapLogger, a proof-of-concept Trojan for Android developed by resarchers at Pennsylvania State University and IBM, uses information from the phone's motion sensor to deduce what keys the user has tapped (PDF), thus revealing otherwise-hidden information such as passwords and PINs."

cancel ×

105 comments

Sorry! There are no comments related to the filter you selected.

yikes! (5, Insightful)

noh8rz3 (2593935) | more than 2 years ago | (#39774667)

We talk often about mobile viruses and I've become somewhat inured to it (another malware embedded in rogue angry birds? yawn). But this is scary, brave new world scary.

Re:yikes! (2)

kthreadd (1558445) | more than 2 years ago | (#39775003)

Not scary, open!

Re:yikes! (2)

hierophanta (1345511) | more than 2 years ago | (#39775055)

+1 good vocabulary

Re:yikes! (1)

jeffmeden (135043) | more than 2 years ago | (#39775149)

Are you kidding? If you have a rogue app on your device it's probably going to find a way to steal all kinds of information. This is nothing more than a pretty interesting new use for motion sensors. It is not, however, any surprise that a rogue app can have whatever it wants from your smartphone, motion sensors or not.

Re:yikes! (5, Insightful)

tchuladdiass (174342) | more than 2 years ago | (#39775405)

The reason this is significant is that apps are usually installed with limited access to items it doesn't need. So normally a bad app won't be able to steal passwords, or lift your address book, unless you give it permissions. This demonstration is simply showing a covert channel for information leakage that people may not have thought about before.

Re:yikes! (1)

AmberBlackCat (829689) | more than 2 years ago | (#39776845)

I wonder how hard would it be to issue an update that only allows accelerometer data to be passed to the app in the foreground.

Re:yikes! (1)

Anonymous Coward | more than 2 years ago | (#39777391)

There are plenty of legitimate reasons to need accelerometer data in the background though. One app I use frequently logs data while I am jogging. I don't want it to stop logging if I have my music player or map in the foreground.

Re:yikes! (1)

Eraesr (1629799) | more than 2 years ago | (#39779849)

I'm pretty sure most people don't look at what access they grant an app when they install it anyway. The whole "this app needs these permissions" screen on Android is worthless as a large scale (as in: for the majority of users) security measure.

Re:yikes! (0)

Anonymous Coward | more than 2 years ago | (#39780583)

I agree. And there is no stupid way to selectively say YES/NO to those permissions. Either you can accept the whole bunch of permissions of you can reject and choose to not install the application. Some permission manager apps are available but usually the application just force closes. It might be more helpful if such permission managers would provide runtime stubs for necessary functions so they can really be useful.

Re:yikes! (1)

masternerdguy (2468142) | more than 2 years ago | (#39776043)

Until it can be installed remotely or by some kind of drive by download, this isn't a problem. People who run any APK they find deserve to catch nasty diseases.

Re:yikes! (2)

noh8rz3 (2593935) | more than 2 years ago | (#39776417)

You mean, people who run any APK they find deserve to infect their friends and colleagues with nasty diseases? Cuz I can't say I agree with that sort of laissez fairs attitude. Surely in the name of public health we should expend a little effort helping those who won't help themselves.

Re:yikes! (1)

PuZZleDucK (2478702) | more than 2 years ago | (#39778433)

... deserve to infect their friends and colleagues with nasty diseases? ...

It's malware, but it's _not_ a virus, so I don't know why you'd be concerned with friends and colleagues catching anything.

Re:yikes! (1)

noh8rz3 (2593935) | more than 2 years ago | (#39778469)

no, this is a new vector for malware. could be virus, or etc.

Re:yikes! (1)

aiht (1017790) | more than 2 years ago | (#39780151)

no, this is a new vector for malware. could be virus, or etc.

No, it isn't. This is a technique that could be used by malware after it's installed. In no way can it help malware to install itself. Do you actually know what vector means, in the context of diseases or viruses?

Re:yikes! (0)

Anonymous Coward | more than 2 years ago | (#39778541)

> people who run any APK they find deserve to infect their friends and colleagues with nasty diseases?

And how do they do that, pray tell? AFAIK, there are no such remote exploits for Android and all the Android malware are trojans depending on users to install it and allow to do things to their phones.

Re:yikes! (1)

william smith6161 (2624079) | more than 2 years ago | (#39780077)

really amazing

Swype (5, Interesting)

Pat Attack (1353585) | more than 2 years ago | (#39774697)

I wonder if it would work on those of us who use a Swype keyboard. Then again, I do tap out my passwords. A thought: If you randomize the keyboard for password entries, that would make it harder to discern from malware like that and the over-the-shoulder attack.

Franklin said it best. (4, Funny)

Anonymous Coward | more than 2 years ago | (#39774791)

Those who would give up essential usability to purchase a little temporary security, deserve neither usability nor security.

Re:Franklin said it best. (3, Insightful)

Entropius (188861) | more than 2 years ago | (#39775015)

This is just a further illustration of the basic idea that letting someone run arbitrary code on your system is a bad idea, and that access to external communications and sensors breaks sandboxing. Someone with the ability to turn on a webcam, for instance, can do all sorts of nefarious things, including seeing you type your password reflected in your glasses if it's high-enough resolution.

Re:Franklin said it best. (0)

Anonymous Coward | more than 2 years ago | (#39775053)

"That vulnerability is purely theoretical."

Re:Franklin said it best. (3, Insightful)

h4rr4r (612664) | more than 2 years ago | (#39775089)

So don't install their code. The flip side it that it is even worse if someone else gets to decide what arbitrary code is allowed to run on your system.

Re:Franklin said it best. (1)

masternerdguy (2468142) | more than 2 years ago | (#39776061)

So you'd rather not be able to install the occasional important program from beyond the market ("arbitrary code") to gain a small amount of security instead of just being careful what APK you choose to install? That's sad.

Re:Franklin said it best. (1)

Entropius (188861) | more than 2 years ago | (#39776635)

No, it means that I am not going to install code without trusting where it came from. People are criticizing this as a vulnerability in Android -- it's not. It's just a demonstration that someone who wants to hurt you and can run code on your system can do so.

Re:Franklin said it best. (1)

Sigg3.net (886486) | more than 2 years ago | (#39779941)

Wow, your technical knowledge is just amazing! You should try to get a job at one of those Crime Scene Investigations units.

Enhance!

Re:Franklin said it best. (1)

PessimysticRaven (1864010) | more than 2 years ago | (#39775077)

Those who would give up essential usability to purchase a little temporary security, deserve neither usability nor security.

Yes... But he said liberty, not usability.

Re:Swype (0)

Anonymous Coward | more than 2 years ago | (#39774811)

You can store 4 or 5 letters of your password in groups as swipe dictionary words, then swipe your password pausing between each group, it won't enter a space between them.

Re:Swype (2)

x1r8a3k (1170111) | more than 2 years ago | (#39774817)

I have a slide out physical keyboard on my phone. I think thats the simplest way to defeat this.

Also this seems to only be able to get the location of taps and infer what you've typed. What if I'm using a non standard keyboard layout?

Re:Swype (1)

Qzukk (229616) | more than 2 years ago | (#39775021)

What if I'm using a non standard keyboard

They have merged it with a game to calibrate it to your usage. After you've typed all the letters of the alphabet several times each, it'll know how your wrists twist to get your thumbs to all the keys of whatever keyboard you're using, whether it's physical or onscreen.

Re:Swype (1)

Waldeinburg (737568) | more than 2 years ago | (#39779921)

As I understand the article, the game has nothing to do with the alphabet. They assume your layout is an ordinary numpad-layout and let the user play an icon matching game: In a 3x4 icon grid, "tap to pick up paired icons". So the game will not work with a physical keyboard and will not detect non-standard layout.

Re:Swype (4, Interesting)

robmv (855035) | more than 2 years ago | (#39775751)

long term better solution is that OS fields for passwords and PIN keypads disable applications access to motion sensor data. If you are custom drawing a password field and not using the OS provided one, add an API to hide motion sensor data when you need it

Re:Swype (1)

cream wobbly (1102689) | more than 2 years ago | (#39776669)

You're comparing an on-screen keyboard, with no easy way to discern accidental taps, with a physical keyboard with key action easily discernible from accidental taps. I think you might want to revise your stance a touch :-)

Otoh, using an external keyboard would defeat this, as would restricting usage to those times when you're aboard a roller coaster.

Re:Swype (1)

x1r8a3k (1170111) | more than 2 years ago | (#39776839)

as would restricting usage to those times when you're aboard a roller coaster.

That gives me an idea -- put in a more powerful vibrator and run it whenever a text field is active. I'm sure Google will pay millions for this!

Re:Swype (1)

PickyH3D (680158) | more than 2 years ago | (#39774891)

Not to attack the idea, but wouldn't a randomized keyboard slow down your typing as you search for the keys, thus enabling the shoulder-surfer to watch as you struggle? I agree that would likely beat the Malware assuming that the malware reading your motion sensors can't also figure out what keyboard is being displayed.

Re:Swype (1)

cream wobbly (1102689) | more than 2 years ago | (#39776677)

I think he's talking about manually randomizing your keyboard choice.

Re:Swype (2)

HexaByte (817350) | more than 2 years ago | (#39775533)

Better then that, we could all just start randomly moving our devices while typing our passwords, or dancing some hip-hop moves while doing so.

I don't think they'll be able to adjust for that!

Re:Swype (1)

Pat Attack (1353585) | more than 2 years ago | (#39775679)

Brilliant! Obfuscation through too much data.

Re:Swype (1)

cream wobbly (1102689) | more than 2 years ago | (#39776687)

Attach it to your pleasuring device of choice.

Re:Swype (1)

markyosti (2621289) | more than 2 years ago | (#39779375)

eheh :-). Just jump while typing, that will do it.

Seriously, this reminds me of an article I've read a few days ago about software being able to guess the characters pressed on a keyboard by listening to the sound and interval of they keypresses.

Re:Swype (1)

camperdave (969942) | more than 2 years ago | (#39777261)

All the more reason to use passfaces. Shows random faces, except one, in random locations. Tap on the face you recognize. Since the location of the key face is in a random position, the sensor data is also random.

New Wave of Virus (2)

lipanitech (2620815) | more than 2 years ago | (#39774725)

This is the next wave in mobile malware it affects iPhone as well I guess no smart phone is safe. I guess they did not bother with blackberry. lol

Re:New Wave of Virus (1)

Anonymous Coward | more than 2 years ago | (#39774867)

Actually purely by coincidence this won't affect WP7, which doesn't allow apps to run in the background.

Re:New Wave of Virus (1)

PickyH3D (680158) | more than 2 years ago | (#39775043)

WP7 does allow apps to run in the background. It does not allow apps to access certain APIs while running in the background, such as VOIP controls (e.g., Skype). That's not too dissimilar from what Apple does on iOS [apple.com] .

Re:New Wave of Virus (1)

recoiledsnake (879048) | more than 2 years ago | (#39776055)

WP7 does allow apps to run in the background. It does not allow apps to access certain APIs while running in the background, such as VOIP controls (e.g., Skype). That's not too dissimilar from what Apple does on iOS [apple.com] .

With WP7, background tasks cannot run constantly like they can do on Android. The OS schedules them every 30 min(on battery and cellular data) or every 15 mins(on plugged in power and WiFi) or totally shut off (battery is low and the battery saver is enabled).

Re:New Wave of Virus (4, Funny)

SJHillman (1966756) | more than 2 years ago | (#39774877)

Blackberry is the OS/2 of the mobile world.

Re:New Wave of Virus (-1)

Anonymous Coward | more than 2 years ago | (#39775027)

Blackberry is the OS/2 of the mobile world.

Go ahead, I dare you to expand that pathetic attempt at sloganeering into a logical treatise.

Regardless, do they pay you directly, or does google (or apple) employ you through an agency?

Re:New Wave of Virus (2)

SJHillman (1966756) | more than 2 years ago | (#39775285)

Ok, here's the comparison:

OS/2 was once great, but was a little ahead of its time so it ended up slowly fading away. It's still used and will likely be used for time to come even after support has completely dried up.

Blackberry was once great, but was a little ahead of the smartphone curve so now it's slowly fading away. It's still used and will likely be used for time to come even after support has completely dried up.

Re:New Wave of Virus (1)

cream wobbly (1102689) | more than 2 years ago | (#39776709)

Not only that, but Blackberry can run apps written for the competition, so nobody bothers writing for Blackberry directly any more.

Oh wait...

Re:New Wave of Virus (0)

noh8rz3 (2593935) | more than 2 years ago | (#39774981)

No, the f a said the motion sensing algorithms would work in concept on an iPhone. But the malware vector doesn't exist, and the multitasking model would prevent this practice from running in the background. So, like all malware, this one is android only.

Re:New Wave of Virus (0)

Anonymous Coward | more than 2 years ago | (#39775315)

No, the f a said the motion sensing algorithms would work in concept on an iPhone. But the malware vector doesn't exist, and the multitasking model would prevent this practice from running in the background. So, like all malware, this one is android only.

Oh, right, because nobody jailbreaks their iPhone and sets it up to download apps from an alternative *couchcydiacough* store lacking Apple's QC oversight... gotcher malware vector right here, buddy -- dumb users running with system privileges they don't need clicking on the shiny, same as ever.

Re:New Wave of Virus (1)

X0563511 (793323) | more than 2 years ago | (#39776205)

... did you just expel a couch from your face? Ouch!

Re:New Wave of Virus (0)

Anonymous Coward | more than 2 years ago | (#39776581)

So, like all malware, this one is android only.

Retard alert.

Re:New Wave of Virus (0)

Anonymous Coward | more than 2 years ago | (#39777185)

No, the f a said the motion sensing algorithms would work in concept on an iPhone. But the malware vector doesn't exist, and the multitasking model would prevent this practice from running in the background. So, like all malware, this one is android only.

Gather 'round, slashdot. For future reference, THIS is Begging The Question. To everyone who has been using it wrong for the past umpteen years, please take notes. That is what a logical fallacy looks like.

Well, that's pretty clever (5, Informative)

jfengel (409917) | more than 2 years ago | (#39774727)

According to TFA, the idea is actually somebody else's and previously published. This is an extension of the idea that uses a training phase, presumably a part of the Trojan where the user interacts with the phone for benign reasons (perhaps playing a game or entering data for a legitimate purpose) that it uses to calibrate the correlation between taps and the accelerometers.

It's pretty clever. Presumably, it can be defeated by refusing to allow background apps to have access to the sensors, though I can imagine applications where you want to allow that kind of thing (pedometers, for example).

Re:Well, that's pretty clever (2, Funny)

YodasEvilTwin (2014446) | more than 2 years ago | (#39774793)

I always give pedos access to my vibration sensors.

Re:Well, that's pretty clever (1)

Lussarn (105276) | more than 2 years ago | (#39775061)

Best way to defeat this would be to stop the sensors (for background apps) when the keyboard is up. But really, if you got some nasty trojan on there you got problems anyway, and password stealing by reading sensors is probably not the worst of them.

Re:Well, that's pretty clever (1)

jeffmeden (135043) | more than 2 years ago | (#39777091)

According to TFA, the idea is actually somebody else's and previously published. This is an extension of the idea that uses a training phase, presumably a part of the Trojan where the user interacts with the phone for benign reasons (perhaps playing a game or entering data for a legitimate purpose) that it uses to calibrate the correlation between taps and the accelerometers.

It's pretty clever. Presumably, it can be defeated by refusing to allow background apps to have access to the sensors, though I can imagine applications where you want to allow that kind of thing (pedometers, for example).

The dead giveaway would be the app that keeps the motion sensors alive all the time crushing the battery usage stats on the phone. Not that many are bothered to check for such things, but its a dead giveaway that an app thats not supposed to be running is alive and doing nefarious things (especially if the motion driver is high on the usage list too).

So what you're saying is... (0)

Anonymous Coward | more than 2 years ago | (#39774733)

Any device with access to the motion sensors using a touchscreen running some software can theoretically do this, not just Android.

I'm not going to click on the link, but I'll be there's an i Fanboi authoring this article.

then we need to have a key randomizer (1)

Joe_Dragon (2206452) | more than 2 years ago | (#39774757)

so they can't say have pos 24,53 = h each time.

Re:So what you're saying is... (1)

ThunderBird89 (1293256) | more than 2 years ago | (#39774773)

Not likely, the article makes a reference to the iPhone making accelerometer data available to unprivileged apps as well. The title probably stems from the fact that Android allowed this to be tested, while iPhone's lack of sideloading probably ruled out a proof-of-concept attack...

Re:So what you're saying is... (0)

Anonymous Coward | more than 2 years ago | (#39774893)

Or perhaps the guy developing the attach didn't feel like buying a Mac solely for the purpose of iOS app development.

Re:So what you're saying is... (1)

noh8rz3 (2593935) | more than 2 years ago | (#39774997)

Yes, but for iPhone it would only work when you explicitly open the proof of concept app. It can't lurk in the background to grab your PINs

Re:So what you're saying is... (0)

Anonymous Coward | more than 2 years ago | (#39775117)

How exactly do you think devs test their iPhone apps?

Re:So what you're saying is... (0)

Anonymous Coward | more than 2 years ago | (#39778241)

Judging by the quality of some apps, it seems testing is done by releasing the app and wait for feedback from angry users.

I find this hard to believe (4, Insightful)

ThunderBird89 (1293256) | more than 2 years ago | (#39774739)

I find it hard to believe that the motion sensor can be sensitive enough to detect such minuscule changes, when I sometimes need to tap the phone against the desk to have it acknowledge rotation. Also, if the phone is placed on the table to enter the passwords, most of the supposed motion is eliminated, significantly frustrating the attack.

Re:I find this hard to believe (5, Insightful)

SJHillman (1966756) | more than 2 years ago | (#39774917)

It's not a perfect attack, but it doesn't need to be successful against every single user on every single phone. Most modern smartphones don't require physical abuse to register motion and most smartphone users don't put the phone down, put the password in, then pick it back up every single time. How about an analogy? Let's say there's a PC virus that exploits the wheel function of a USB mouse. Not every PC will have a USB mouse with a wheel, and even among those that do, not every user will use it. However, there's still enough vulnerable PCs that this theoretical virus could be highly successful.

Re:I find this hard to believe (1)

ThunderBird89 (1293256) | more than 2 years ago | (#39775001)

True enough, I guess.
Although when I said 'tap', I really meant tapping the phone against the desk, usually cushioned by my finger, so the screen rotates, not slam it down.

I still have doubts about the sensitivity of the motion sensor. Based on a few quick scans from the Tricorder app, I couldn't pick out any spikes in the thermal noise from the sensor, apart from my hand shaking (which was apparently chaotic, so taps could not be inferred from the infrequent peaks).

Re:I find this hard to believe (1)

SJHillman (1966756) | more than 2 years ago | (#39775271)

My phone (LG Optimus Slider, 6 months old) is probably too insensitive for it to register as well, but some of the higher end Android phones I've played with have shown an amazing level of sensitivity and accuracy. Within a year or two, that will likely trickle down to the lower end models so that all new smartphones are sensitive enough for this to work.

Re:I find this hard to believe (1)

ThunderBird89 (1293256) | more than 2 years ago | (#39775573)

My Nexus S is usually pretty sensitive, reliably detecting acceleration as low as 0,1-0,01 m/s^2 (which seems to be still to little for this 'taplogging' to work). For some reason, it's only the screen rotation that seems to suffer from lag.

Re:I find this hard to believe (1)

X0563511 (793323) | more than 2 years ago | (#39776237)

The accelerometer can detect sudden accelerations much better than a steady one, such as gravity. Those sudden accelerations are exactly what you would get while "typing"

Re:I find this hard to believe (1)

jeremyjo (1857008) | more than 2 years ago | (#39774921)

I find it hard to believe that the motion sensor can be sensitive enough to detect such minuscule changes, when I sometimes need to tap the phone against the desk to have it acknowledge rotation.

The motion sensor is sending data, it's just that the application you're using doesn't have the the processing power to do anything about it right then. Luckily malware tends to be coded much more efficiently than desirable apps.

Re:I find this hard to believe (2)

x1r8a3k (1170111) | more than 2 years ago | (#39774979)

I just checked on my phone with the raw data from the sensors. If i put if flat on a table, they stay still, but just holding it it can detect the small changes of me just not being able to hold it perfectly still. It will even register if I leave one side on a table and raise the other side by about 1mm. I think the rotation thing is more smoothed out in software to prevent it changing too often.

Re:I find this hard to believe (1)

PickyH3D (680158) | more than 2 years ago | (#39775023)

In the first case, that's if you do not have a very good motion sensor. In the second case, that's if you know that you need to try and avoid such an attack.

Re:I find this hard to believe (1)

cream wobbly (1102689) | more than 2 years ago | (#39776767)

You probably also find it hard to believe that recording a phone call when someone types their password can reveal the password by dint of each key making a unique sound. "Training" is essential in this case too, either by having the user type some known piece of text, or by analysing a great amount of audio-recorded typing.

You probably also find it hard to believe that we can detect planets around stars which themselves are barely visible; or subatomic particles.

Isn't science cool, kids?

Re:I find this hard to believe (1)

PuZZleDucK (2478702) | more than 2 years ago | (#39778863)

... also find it hard to believe that we can detect planets around stars which themselves are barely visible; or subatomic particles...

Couldn't have said it better myself.

Also if you find the above hard to believe then you're never going to believe this: http://gcn.com/articles/2011/10/18/smart-phone-sensors-steal-keystrokes.aspx [gcn.com] .

Re:I find this hard to believe (1)

salmonmoose (1147735) | more than 2 years ago | (#39778667)

I recall being able to buy monitor stands that converted your monitor into a touch-screen by using a similar technique - It doesn't shock me that the same can be done with phones.

We are... (1)

jfdavis668 (1414919) | more than 2 years ago | (#39774743)

Penn State!

Re:We are... (1)

Entropius (188861) | more than 2 years ago | (#39774999)

They are also an excellent research university, drunken antics and football-coach-kiddie-fiddling notwithstanding.

Easy enough to fix (3, Insightful)

Baloroth (2370816) | more than 2 years ago | (#39774747)

Just don't allow programs in the background to have access to the motion sensors. Is there any actual reason a background program would need such information anyways? It sounds like they just allowed it because developers didn't realize it could give away sensitive details. Now they know, it can be restricted pretty easily, I should think.

And if you do have a program that actually needs the motion sensor information while not in the foreground, just have it ask for special permission.

Re:Easy enough to fix (2)

Scared Rabbit (1526125) | more than 2 years ago | (#39774835)

Well that would certainly break the pedometer apps out there.

Re:Easy enough to fix (2)

X0563511 (793323) | more than 2 years ago | (#39776349)

So? Pedometers are cheap. If you are not stationary, just use the GPS to determine distance/speed. If you are stationary, chances are the platform knows how "far" you have gone and how "fast" you are going.

If you're jogging in place... well, deal with it :P

Re:Easy enough to fix (1)

Scared Rabbit (1526125) | more than 2 years ago | (#39777669)

I'm not sure how well the GPS is going to work inside the buildings I spend most of my day inside of. Having a pedometer on my phone seems to work much better than any pedometer that I've ever used in the past as it doesn't accidentally get reset, and I don't have to worry about clipping it somewhere just to have it count my steps.

Re:Easy enough to fix (1)

PuZZleDucK (2478702) | more than 2 years ago | (#39778879)

... chances are the platform knows how "far" you have gone and how "fast" you are going...

Without the gyro/motion data I fail to see how it could work out these things.

Re:Easy enough to fix (1)

X0563511 (793323) | more than 2 years ago | (#39779241)

Then you didn't think very hard. If you are stationary then you are either jogging in place (nothing I can say about that, except perhaps start counting?) then you are on a machine with moving parts. The machines have sensors and "see" the metrics required to calculate it.

Re:Easy enough to fix (2)

CastrTroy (595695) | more than 2 years ago | (#39774945)

Yes, but that would require that people actually be able to change permissions on what individual programs can access. I recently got an Android phone and find it quite laughable what kind of permissions some apps are asking for. Why does a tic-tac-toe game need access to my contact list, the internet (ok ads are one explanation), and my phone information (call information, when I make a call, who the call is to, my phone number etc)? I should be able to lock down my phone by default. There should be no reason I shouldn't explicitly be able to deny programs information to sensors and internal phone data and just send them empty data if they ask for it, so they don't crash. I liked this about my old Nokia phone a lot . It would frequently ask and reask when programs could access the network. It was a little bit of an annoyance, but at least I know I had control over what apps were doing. There's firewalls for the network that can be applied at the application level, but for me that isn't good enough. I immediately thought of a way around it in which one has access to your contact and phone history, and wrote the information out to the SD card, while another app which actually needed access to the network but didn't have access to the contact info (and therefore you were more likely to grant it net access) would read the same data off the SD card and send it over the internet. I can only think of a very limited set of applications that have access to contact lists and phone history. And really I would expect those apps to be built into the phone, not something you download from some random software maker.

Re:Easy enough to fix (1)

chowdahhead (1618447) | more than 2 years ago | (#39775673)

If you're rooted, there are apps on the market that allow you to manage permissions. Cyanogenmod includes this capability in the ROM itself. It would be a nice feature for stock Android to have, but I doubt that will happen.

Re:Easy enough to fix (1)

Entropius (188861) | more than 2 years ago | (#39775031)

Seems like you could sanitize motion sensor information being passed to untrusted apps by reducing the resolution of the data to what's needed to determine which way is up to fix this. An app that wants high-resolution motion sensor info can ask for it.

Re:Easy enough to fix (1)

Morlenden (108782) | more than 2 years ago | (#39778113)

The camera will also have to be disabled because tap-induced camera motion could be read that way.
It may also be possible to get tap position information from the microphone.

Re:Easy enough to fix (0)

Anonymous Coward | more than 2 years ago | (#39778717)

I use Setting Profiles, where it detects whether the phone is face up or face down. My default ring setting and notifications are to vibrate. When the phone is face up (typically not in my pocket), then it goes audible. When it is face down, it turns on extremely loud.

Simple fix (4, Insightful)

PPH (736903) | more than 2 years ago | (#39775539)

Just have the password entry widget lock the accelerometer (or whatever) resource while in focus.

Re:Simple fix (2)

robmv (855035) | more than 2 years ago | (#39777133)

That solves the PIN entry widget, malware could hypothetical capture passwords from password fields, so those fields need to be protected too. The problem remain with apps that don't use native toolkits, so to add an API that locks hardware devices that could be used to capture sensitive information is enough in an ideal world. In the real world many app developers will simply ignore to use it

Re:Simple fix (1)

PPH (736903) | more than 2 years ago | (#39777755)

Expand the concept to include some set of resources that need to be locked when an entry field's 'secure' parameter is set to true. As new hacks are discovered, add them to that resource set.

Flog developers that don't adhere to programming/toolkit standards. Since this fraction approaches unity, this should satisfy the sadist in every PHB.

Fixing This Will Damage Science (4, Funny)

ScentCone (795499) | more than 2 years ago | (#39775741)

We use the internal motion sensors on Android phones to provide all of the inertial navigation input we need to control the external thrusters on the capsules of the hihg altitude balloons we send up for biometric testing of the subjects inside. The subjects, usually kids about five years old, play Angry Birds and type out phrases of Shakespeare until they black out. If they disable background motion sensor use, it's possible we're going to lose more like 8 out of 10 kids we send up, instead of the usual 5 or 6. I can see already that we might have to go back to using spider monkeys, or those expensive parrots. Which means re-working the whole app, again. Man, science is hard.

Put down your phone? (1)

lajoyce (1074817) | more than 2 years ago | (#39775767)

Placing your phone on a table/counter/desk can save your data!

if u install any malware it's already too late (0)

Anonymous Coward | more than 2 years ago | (#39776683)

Once you install malware it's too late, it can just act as a key logger, it s doesn't need to read the sensor to find out your password.

weird... (1)

Tastecicles (1153671) | more than 2 years ago | (#39777123)

...I've just watched an episode of NCIS where someone placed a bug in a computer keyboard that used subsonic acoustics to determine which key had been pressed... Hollywood science?

Re:weird... (1)

garyebickford (222422) | more than 2 years ago | (#39777529)

It sounds plausible, maybe. I suppose it would depend on the type of keyboard, and might need to be trained for each keyboard. (Would all those bagel crumbs that fell in between the keys alter the acoustics?) It might be easier from outside the keyboard. Stranger things have been done - bouncing a laser off a window to pick up the sounds in a room (the vibration of the window modulates the laser beam); I think that sounds picked up through a wall have been used to place people inside the room, behind the wall.

I guess this is one for Mythbusters.

Re:weird... (0)

Anonymous Coward | more than 2 years ago | (#39778349)

http://it.slashdot.org/story/05/09/13/1644259/keyboard-sound-aids-password-cracking

Infrormation? (0)

Anonymous Coward | more than 2 years ago | (#39779875)

Infrormation?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?