Abstract or Summary:
Mobile devices and applications carry a great deal of sensitive and personally identifiable information, which makes them very lucrative targets for attackers. Authentication on these devices is vulnerable to smudge attacks. Furthermore, their small size, light weight, and ubiquity makes them easily stolen. According to the Cloud Security Alliance, data loss from lost, stolen, or decommissioned mobile devices is the single largest threat to mobile computing. The nature of user interaction with mobile devices calls for novel authentication approaches that are robust and secure, usable, and inexpensive.

We propose the use of decoy apps on mobile devices to continuously authenticate users once the user is logged in – i.e. throughout the user session – and to detect suspicious activity by a masquerader, or unauthorized user posing as the owner and legitimate user of the mobile device. Decoy apps are authentic-looking apps that hold fake but enticing information to the potential masquerader. Once installed on the mobile device, their only function is to act as bait to the masquerader. They are not to be used by the device owner, and therefore any access to decoy apps is highly indicative of potential masquerade activity. Access to any decoy app could be a trigger for de-authenticating the user. Furthermore, we posit that even if a masquerader were aware decoy apps are loaded on the device, they would lack the user’s knowledge of which apps are real or decoys.

In this paper, we present an approach for deploying decoy apps to (de-)authenticate mobile device users.