Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Touchlogging Part 3 - Final Thoughts

This is the third and final part on the subject of Touchlogging. I do recommend reading part one and part two before reading this final part.

The previous parts described the technical details of the touchlogging attacks. In this part, I will focus a little more on the softer parts.

First, I wanted to discuss the issue of screenshots. Grabbing screenshots is quite easy and overlaying the coordinates on the screenshot shows exactly what the user is inputing and where. However, since screenshots are quite large in comparison with X and Y coordinates, how far can you get without screenshots?

When I started this work, I thought screenshots were necessary. However, the longer the project went on, the more I realized that the screenshots were not necessary. There is a lot of logic that can be applied to figure out what a user is doing, but the easiest way of understanding this is by imagining what it looks like from the other side--when you use your touchphone. Imagine your touchphone is transparent, and someone is watching your fingers move on the screen as you use the phone. What would it look like when you are playing your favorite game? How about when you are writing an email, checking your bank account or browsing the web? If you try to picture yourself doing these things, you can see the patterns emerging and patterns can be detected. Therefore, as it turns out, the screenshots are not the most important part (although they do help of course).

I wanted to continue on the subject of risk. As an application developer, is touchlogging something to worry about? Well, the short answer is--not for most people. There are some that need to implement protection against this attack though. Any app that takes valuable input through the touchscreen should consider this attack and implement relevant safeguards.

Protecting against the attack is possible, but not trivial. There are challenges both on iOS and Android, and good defences will require both time, effort and knowledge. You may be tempted, especially on iOS, to block execution on jailbroken devices. This, however, is very unlikely to stop any determined attacker. And as FireEye showed, the attack does not always require a jailbroken device. Any application with high security requirements should use a defence in-depth strategy, so relying on root/jailbreak detection alone is not a good option.

I mentioned a few strategies to protect against this attack in the previous parts, but on Android, it is challenging and the only way I know that works is monitoring the running environment and automatically making decisions based on the collected information. Applying this type of defensive strategy on Android will not only protect against touchlogging attacks, but also a wide variety of other attacks and should be part of the defence in-depth strategy.

In a BYOD setting, it is more difficult to protect against. I think that while the risk of this attack being used is very low, it is possible that it is used as part of targetted attacks against specific individuals or companies. Following the recommendations from my previous articles on the topic can help reduce the risk.

In closing, I want to say that I worked on this project for over nine months. It was not very focused. It has been one of those background projects that I kept going back to when I had time. Several people have been part of the project, but the original idea was developed by Mike,Nathan and I.Robert Bengtsson is the one who came up with the idea of capturing touch coordinates through live wallpapers.

Please use the comment box if you have any questions or comments!