clock menu more-arrow no yes

Filed under:

TapLogger Android app can read your password based on motion sensor data

New, 8 comments

A team at the University of Pennsylvania has developed an app that can tell where you tapped on your phone's screen based on the device's motion sensors.

Android password
Android password

Mobile phones present a number of potential security risks, and researchers at Pennsylvania State University may have just discovered a new one — information retrieved from your phone's motion sensors. The team created an experimental app called TapLogger, which is based on the premise that when you tap on your touch screen, you're not just interacting with the screen, but moving the entire device. So if you hit a button in the upper right corner, your phone will actually move in that direction slightly, and that subtle movement is then read by the accelerometer and other sensors built-in to your device.

"Probably due to the assumption that data collected by motion sensors is not sensitive, so far third party applications are allowed to access the readings of embedded accelerometer and orientation sensors without any security permission requirements," the research paper reads. TapLogger was developed for Android, but the team says that it's possible for apps to access this data on both iOS and Android as well. The application itself is a simple matching game — but what it's actually doing is learning about your tapping behavior while you play. After 30 rounds with the game TapLogger has access to more than 400 "tap events."

Once it has this information, it's possible for the app to guess what numbers you're pressing when, say, you're inputting your credit card number during a call with the bank or typing in your password to unlock your phone. While these guesses won't always be precise, if the person reading the information has access to both the layout of the on-screen buttons and your tap history, they could potentially figure out just what it was you typed.

It may be a bit of a convoluted way to steal your bank PIN, but if nothing else TapLogger shines some light on a potential issue many of us probably never even thought about. And the best way to solve the problem, according to the research team, is to introduce "sensing management systems" on current smartphones that prevent people from accessing the motion sensing data. Otherwise, you might have to start watching how hard you tap.