DOI QR코드

DOI QR Code

Vulnerabilities and Countermeasures of Dynamic Virtual Keyboard in Android Banking Apps

안드로이드 은행앱의 동적 가상키보드에 대한 취약점 및 대응방안

  • 조태남 (우석대학교 IT전자융합공학과) ;
  • 최숙희 (우석대학교 심리학과)
  • Received : 2018.11.07
  • Accepted : 2018.12.03
  • Published : 2019.01.31

Abstract

Smartphones are becoming a portable computer. As a result, even the most sensitive financial application services are now available anywhere on the smartphone. Compared to general PCs, smartphones communicate with external devices through various channels such as wireless internet, mobile communication network, Bluetooth, and NFC, and a wide variety of applications are provided. Therefore, if vulnerabilities exist, the possibility of attack damage increases. In this paper, we analyze the vulnerabilities of dynamic virtual keyboards used in login of banking apps of smartphones with various physical constraints and propose countermeasures.

스마트폰은 휴대용 컴퓨터로서 자리매김하고 있다. 이에 따라 가장 민감한 금융 응용 서비스조차 스마트폰을 통해 언제 어디서나 사용할 수 있게 되었다. 스마트폰은 일반 PC에 비해 무선인터넷, 이동통신망을 비롯하여 블루투스, NFC 등 근거리 통신망 등 다양한 경로를 통하여 외부와 통신하고 있으며 매우 다양한 앱이 제공되고 있어 취약점이 존재할 경우, 공격의 피해가 발생할 가능성이 높아진다. 본 논문에서는 여러 가지 물리적 제약점이 있는 스마트폰의 은행앱에서 로그인에 사용되는 동적 가상키보드의 취약점에 대하여 분석하고, 그 대응방안을 제시한다.

Keywords

JBCRIN_2019_v8n1_9_f0001.png 이미지

Fig. 1. Dynamic Virtual Keyboard of Jeonbuk and Woori Bank

JBCRIN_2019_v8n1_9_f0002.png 이미지

Fig. 2. Dynamic Virtual Keyboard of Kookmin Bank

JBCRIN_2019_v8n1_9_f0003.png 이미지

Fig. 3. Dynamic Virtual Keyboard of Citi and Kookmin Banking App

JBCRIN_2019_v8n1_9_f0004.png 이미지

Fig. 4. Possibility Difference for Each Key Pair

JBCRIN_2019_v8n1_9_f0005.png 이미지

Fig. 5. Dynamic Virtual Keyboards without/with a Mole Key

Table 1. Characteristics of Banking Apps

JBCRIN_2019_v8n1_9_t0001.png 이미지

Table 2. Positions of Blanks (s(b)=1)

JBCRIN_2019_v8n1_9_t0002.png 이미지

Table 3. Possibility for Each Position of L0 and L1

JBCRIN_2019_v8n1_9_t0003.png 이미지

Table 4. Possibilities of Candidate Keys for and L0 and L1 (s(b)=1)[7]

JBCRIN_2019_v8n1_9_t0004.png 이미지

Table 5. Possibilities of Possibilities of Candidate Keys for L2 (s(b)=1)[7]

JBCRIN_2019_v8n1_9_t0005.png 이미지

Table 6. Possibilities of Candidate Keys for L3 (s(b)=1)

JBCRIN_2019_v8n1_9_t0006.png 이미지

Table 7. Possibilities of Candidate Keys for L0 and L1 (s(b)=1/2)

JBCRIN_2019_v8n1_9_t0007.png 이미지

Table 8. Possibilities of Candidate Keys for L2 (s(b)=1/2)

JBCRIN_2019_v8n1_9_t0008.png 이미지

Table 9. Possibilities of Candidate Keys for L3 (s(b)=1/2)

JBCRIN_2019_v8n1_9_t0009.png 이미지

Table 10. Possibilities to Identify Input Keys

JBCRIN_2019_v8n1_9_t0010.png 이미지

Table 11. Possibilities of Candidate Keys for L0 and L1 with Restricted Blank Positions

JBCRIN_2019_v8n1_9_t0011.png 이미지

Table 12. Possibilities of Candidate Keys for L2 with Restricted Blank Positions

JBCRIN_2019_v8n1_9_t0012.png 이미지

Table 13. Possibilities of Candidate Keys for L3with Restricted Blank Positions

JBCRIN_2019_v8n1_9_t0013.png 이미지

Table 14. Countermeasures Against Vulnerabilities

JBCRIN_2019_v8n1_9_t0014.png 이미지

References

  1. KISDI, Key Findings of the Korea Media Panel in 2017, KISDI STAT Report 17-23, p.2, 2017.
  2. Hyunsuk Choi, '1 person - 1 smartphone era' opens ... Over 50 million subscribers [Internet], http://www.yonhapnews.co.kr/bulletin/2018/08/24/0200000000AKR20180824160700017.HTML, 2018.
  3. Chulmin Yang, Apple smartphone market share highest in 21 months ... 'Gapjil' will deepen [Internet], http://www.sedaily.com/NewsView/1OOQ4ZOUXA/, 2017.
  4. Yoonjung Jang, Respond to key logging attacks with mouse [Internet], http://www.boan.com/news/articleView.html?idxno=1858, 2010.
  5. Bobur Shakirov et al., “Analysis on Vulnerability of Password Entry Using Virtual Onscreen Keyboard,” Journal of The Korea Institute of Information Security & Cryptology, Vol. 26, No. 4, pp. 857-869, 2016. https://doi.org/10.13089/JKIISC.2016.26.4.857
  6. Junghan Kim et al., "Design and Implementation of Multi Virtual Keyboards for the Large Multi Touch Display," KSCI Summer Conference, Vol. 21, No. 2, pp. 73-74, 2013.
  7. Min-Je Bang, SookHee Choi, Taenam Cho, "Analysis on Vulnerabilities of Dynamic Virtual Keyboard for Smartphone," KIPS Fall Conference, Vol. 25, No. 2, pp. 238-239, 2018.
  8. Milefoot.com, Pearson's Goodness-of-Fit Test[Internet], http://www.milefoot.com/math/stat/ht-pearsonchisquare.htm.