- Problem addressed by the paper
A system to help users defend their input and display of sensitive data in public places.
- Solution proposed in the paper. Why is it better than previous work?
Previous works cannot allow arbitrary data to be marked as sensitive. Cashtags is the current only system that can protect general data from shoulder surfing.
- The major results.
Cashtags behaves correctly for all test cases. For each test case, Cashtags successfully identified input containing sensitive data, prevented the display on the screen of the sensitive term, and determined correctly when to convert back to sensitive data.
B. Basic idea and approach. How does the solution work?
Cashtags identifies and intercepts users’ input on sensitive data and display the data as something else on the screen to protect those sensitive data from shoulder surfing observation. Cashtags covers Android API of TextView and EditText display data paths which account for 86% of usage hours for mobile devices. Then they tested it on 18 apps across 6 categories.
- The idea of Cashtags is quite novel and feasible to be done by general users (user friendly).
- Cashtags repository is encrypted using AES. This is a must as it contains users’ sensitive data.
- Cashtags repository protection should be tested from being abused by an attacker. Then it can provide more protection than standard encryption. It should also be protected from side-channel attack from other apps. An attacker might also deploy similar version of Cashtags that does protect users’ sensitive data from being displayed on the screen. However, this attacker’s version of Cashtags also send those data to the developer.
- It only covers standard text-rendering method. Developers that use custom text-rendering method can still reveal private information on the screen.
- Cashtags cannot currently handle numbers that split into several input fields. This should be not too hard to be implemented and added in the repository.
E. Future work, Open issues, possible improvements
- Cashtags should be further developed to increase its coverage. More importantly, it should also be further developed to protect itself from being abused by an attacker.