Decoy Applications for Continuous Authentication on Mobile Devices

Mobile devices and applications carry a great deal of sensitive and personally identifiable information, which makes them very lucrative targets for attackers. Authentication on these devices is vulnerable to smudge attacks [1]. Furthermore, their small size, light weight, and ubiquity makes them easily stolen. According to the Cloud Security Alliance, data loss from lost, stolen, or decommissioned mobile devices is the single largest threat to mobile computing [5]. The nature of user interaction with mobile devices calls for novel authentication approaches that are robust and secure, usable, and inexpensive. In a mobile context, security solutions must be flexible as well as resource e cient to ensure compatibility with a broad platform base. We propose the use of decoy apps on mobile devices to continuously authenticate users once the user is logged in– i.e. throughout the user session– and to detect suspicious activity by a masquerader, or unauthorized user posing as the owner and legitimate user of the mobile device. Decoy apps are authentic-looking apps that hold fake but enticing information to the potential masquerader. They may be installed manually by the device owner or automatically through some app distribution and installation service. Once installed on the mobile device, their only function is to act as bait to the masquerader. They are not to be used by the device owner, and therefore any access to decoy apps is highly indicative of potential masquerade activity. We conjecture that decoy apps can be used to continuously authenticate users once logged-in to the mobile device throughout an entire user session. Access to any decoy app could be a trigger for de-authenticating the user. Furthermore, we posit that even if a masquerader were aware decoy apps are loaded on the device, they would lack the user’s knowledge of which apps are real or decoys. Figure 1 displays a notional view of the conundrum faced by the attacker. In this paper, we present an approach for deploying decoy apps to (de-)authenticate mobile device users. The remainder of this paper is organized as follows. First we will briefly describe how mobile decoy apps can be created, dis-