IDG News Service
(04/20/12) Lucian Constantin
Researchers at Pennsylvania State University and IBM have developed TapLogger, a proof-of-concept Android Trojan app that can steal passwords and other sensitive information by using the smartphone's motion sensors to determine what keys users tap on their touchscreens. The researchers developed TapLogger to demonstrate how data from a smartphone's accelerometer and orientation sensors can be abused by applications to compromise privacy. The researchers note that accelerometer and orientation sensor data are not protected under Android's security model, which exposes that data to any application regardless of its permissions on the system. TapLogger functions as an icon-matching game, but has several background components that capture and use data from the motion sensors to infer touchscreen-based user input. After the data is collected, the application builds tap event patterns and uses them to infer user input during targeted operations. "While the applications relying on mobile sensing are booming, the security and privacy issues related to such applications are not well understood yet," the researchers say.