Abstract
The security of financial apps on smartphones is threatened by a class of advanced and persistent malware that can bypass all existing security measures. Strong cryptography and trusted on-chip hardware modules are powerless against sophisticated attacks that supplant device owners through device input record/replay functionality, effectively hijacking their credentials, privileges, and actions. In this paper, we introduce Proof-of-Presence and Locality (PoPL), a new security measure that tackles this threat by leveraging sensors to prove the physical presence of device owners and therefore discriminate between malware-initiated transaction requests and legitimate ones. Moreover, PoPL neither imposes the expense of additional hardware nor compromises app usability. In order to demonstrate PoPL’s practicality, we developed PoPLar, a challenge puzzle implementation of the PoPL concept that ensures usability even on limited screen sizes by the use of a dendrogram. We have made it available as an open-source library ready to be integrated with minimal effort with existing apps. We demonstrate PoPLar’s effectiveness and ease of integration through case studies involving apps from the three top cryptocurrency exchanges and an open-source crypto wallet.
Highlights
S MARTPHONES are becoming an increasingly convenient way to process and exchange sensitive information with online services, and security-sensitive financial transactions are no exception
We propose Proof-of-Presence and Locality (PoPL), a new security mechanism to defend against device input record/replay threats targeting financial apps
We made PoPLar publicly available as an Android library, and we demonstrate its ease of integration using the case study of a popular open-source crypto wallet
Summary
S MARTPHONES are becoming an increasingly convenient way to process and exchange sensitive information with online services, and security-sensitive financial transactions are no exception. Mobile device vendors are well aware of this and try to offer secured mobile platforms based on the usage of trusted hardware components and strong cryptography [1] These measures are not stopping cyberattacks from threatening the security of smartphonebased financial transactions, with cryptocurrency exchange apps being a notable case in point [2]. We propose Proof-of-Presence and Locality (PoPL), a new security mechanism to defend against device input record/replay threats targeting financial apps. Our proposal works by proving the physical presence and locality of a smartphone’s user to the remote exchange service provider through the solution of a challenge that cannot be recorded/replayed or automated (see Figure 1) nor solved by a remote attacker.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
