Evaluation of Personalized Security Indicators as anAnti-Phishing Mechanism for Smartphone Applications

Claudio Marforio1, Ramya Jayaram Masti1, Claudio Soriente2, Kari Kostiainen1, Srdjan Capkun1

1Institute of Information Security, ETH ZurichZürich, Switzerland

[claudio.marforio,ramya.masti,kari.kostiainen,srdjan.capkun]@inf.ethz.ch

2Telefónica ResearchBarcelona, Spain

claudio.soriente@telefonica.com

ABSTRACTMobile application phishing happens when a maliciousmobile application masquerades as a legitimate one tosteal user credentials. Personalized security indicatorsmay help users to detect phishing attacks, but rely onthe user’s alertness. Previous studies in the context ofwebsite phishing have shown that users tend to ignorepersonalized security indicators and fall victim to at-tacks despite their deployment. Consequently, the re-search community has deemed personalized security in-dicators an ineffective phishing detection mechanism.

We revisit the question of personalized security indica-tor effectiveness and evaluate them in the previously un-explored and increasingly important context of mobileapplications. We conducted a user study with 221 par-ticipants and found that the deployment of personalizedsecurity indicators decreased the phishing attack successrate to 50%. Personalized security indicators can, there-fore, help phishing detection in mobile applications andtheir reputation as an anti-phishing mechanism in themobile context should be reconsidered.

Author KeywordsMobile Security; Phishing; Security Indicators.

ACM Classification KeywordsK.6.5. Security and Protection: Authentication

INTRODUCTIONApplication phishing attacks in mobile platforms oc-cur when malicious applications mimic the user inter-face (UI) of legitimate applications to steal user creden-tials. Phishing applications have been reported in thewild [14,34,42] with successful phishing attacks targetingthousands of users and procuring high revenues for theattackers [16]. Mobile phishing applications do not ex-ploit system vulnerabilities [15]. They instead use stan-dard system features and APIs, and leverage the user’sPermission to make digital or hard copies of all or part of this workfor personal or classroom use is granted without fee provided thatcopies are not made or distributed for profit or commercial advan-tage and that copies bear this notice and the full citation on the firstpage. Copyrights for components of this work owned by others thanthe author(s) must be honored. Abstracting with credit is permitted.To copy otherwise, or republish, to post on servers or to redistributeto lists, requires prior specific permission and/or a fee. Request per-missions from Permissions@acm.org.CHI’16, May 07 - 12, 2016, San Jose, CA, USACopyright is held by the owner/author(s). Publication rights licensedto ACM. ACM 978-1-4503-3362-7/16/05...$15.00DOI: http://dx.doi.org/10.1145/2858036.2858085

incapacity to distinguish the legitimate application froma phishing one.

Online services use personalized security indicators to aidthe user in distinguishing the legitimate website from aphishing one [3, 37]. The personalized security indicator(or “indicator” from now on) is an image chosen by theuser when he enrolls for the online service. After enroll-ment, the website displays the indicator every time theuser logs in. The indicator allows the user to authenti-cate the website and the user should enter his credentialsonly if the website displays the correct indicator.

Mobile applications can also use indicators to mitigateapplication phishing attacks [4,40]. The user chooses theindicator when he installs the application and must checkthat the application shows the correct indicator at eachlogin. The indicator is stored by the application and themobile OS prevents access from other applications.

In this paper, we start by categorizing application phish-ing attacks in mobile platforms and possible counter-measures. We show that all known countermeasures in-cur a tradeoff in security, usability and deployability.The benefits of security indicators are that they cancounter many phishing attack vectors and implementa-tion techniques, and they can be easily deployed by ser-vice providers since they do not require changes to themobile platform or to the marketplace infrastructure.

Personalized indicators, however, rely on the user to de-tect phishing by checking the presence of the correct in-dicator. Previous work in the context of websites hasshown that users tend to ignore personalized indicatorswhen entering their login credentials [23,33]. We revisitthe question of personalized indicator effectiveness andevaluate them in the previously unexplored context ofsmartphone applications.

Our rationale for evaluating indicators in this setting isthat mobile user interfaces are considerably simpler thanthe ones of websites designed for PC platforms. As theuser’s focus is limited to a few visual elements, personal-ized indicators may be more salient in mobile applicationUIs [8, 31]. Also, the usage patterns of mobile applica-tions is different from those of websites, which may im-prove the detection of incorrect or missing UI elements.Additionally, the research community found browser se-curity warning implementations ineffective [10, 12, 36],

but a recent study on newer implementations showed theopposite [1]. We argue that it is important to re-evaluatethe effectiveness of security mechanisms when their im-plementations or deployment models have changed sig-nificantly.

Over one week, 221 study participants used a bankingapplication we developed on their own smartphones tocomplete various e-banking tasks. On the last day of thestudy, we launched a phishing attack. Approximately50% of the participants that used security indicators de-tected the attack and did not enter their credentials.

While further studies are still needed to gain more confi-dence in the effectiveness of personalized security indica-tors, this first study on smartphones shows that indica-tors can be more effective than previously believed whendeployed in the mobile applications context.

To summarize, we make the following contributions:

• We analyze mobile application phishing attacks andpossible countermeasures. We conclude that none ofthe countermeasures prevents all attacks and the prob-lem of phishing remains largely unsolved.

• We report the results from a first user study that eval-uates personalized indicators on smartphone applica-tions. In our study, the deployment of indicators pre-vented half of the phishing attacks.

• We outline directions for further research that isneeded to better assess the effectiveness of indicatorsas an anti-phishing mechanism under various deploy-ment models.

PHISHING ATTACKS AND COUNTERMEASURESIn this section we categorize application phishing attackson smartphones. All attacks are effective on Android andone of them also works for iOS. We discuss possible coun-termeasures and analyze them with respect to security,usability and deployment.

Phishing AttacksSimilarity attackThe phishing application has a name, icon, and UI thatare similar or identical to the legitimate application. Theadversary must induce the user to install the phishingapplication in place of the legitimate one. Successfulsimilarity attacks have been reported for Android [11,14,16,34] and iOS [25].

Forwarding attackAnother phishing technique is to exploit the applicationforwarding functionality of Android [15]. A maliciousapplication prompts the user to share an event (e.g., ahighscore in a game) on a social network and shows abutton to start the social network application. Whenthe user taps the button, the malicious application doesnot launch the social network application, but ratherdisplays a phishing screen. The phishing screen asks theuser to enter the credentials to access his account on

the social network. Application forwarding is a commonfeature of Android and forwarding attacks may thereforebe difficult for the user to detect.

Background attackThe phishing application waits in the backgroundand uses the Android ActivityManager, or a side-channel [24], to monitor other running applications.When the user starts the legitimate application, thephishing application activates itself in the foregroundand displays a phishing screen [4, 15].

Notification attackThe attacker shows a fake notification and asks the userto enter his credentials [40]. The notification window canbe customized by the adversary to mimic the appearanceof the legitimate application.

Floating attackThe attacker leverages the Android feature that allowsone application to draw an Activity on top of the appli-cation in the foreground. This feature is used by appli-cations to always keep a window in the foreground, forexample, to display floating sticky notes. A phishing ap-plication that has the SYSTEM_ALERT_WINDOW permissioncan draw a transparent input field on top of the passwordinput field of the legitimate application. The UI of thelegitimate application remains visible to the user whohas no means to detect the overlaid input field. Whenthe user taps on the password field to enter his password,the focus is transferred to the phishing application whichreceives the password entered by the user.

Phishing CountermeasuresNone of the attacks we discuss exploit OS vulnerabili-ties, but rather use standard Android features and APIs.Therefore, security mechanisms on the device (e.g., sand-boxing or permission-based access control) or securityscreening run by the marketplace operator cannot pre-vent such attacks.

Similar to website phishing, thwarting application phish-ing attacks requires tailored security mechanisms. Wedescribe possible countermeasures and categorize themin terms of security, usability and ease of deployment.

Signature-based detectionSignature-based malware detection techniques that lookfor patterns of system calls and permissions can be im-plemented by the marketplace operator (e.g., the GoogleBouncer system [17]). Recently, the authors of [4] devel-oped a static analysis tool to detect the use of APIs thatenable background attacks. The drawback of signature-based detection solutions is that many phishing attacks(e.g., forwarding and similarity attacks) do not requirespecific API calls and would not be detected. This ap-proach, therefore, applies only to a subset of possibleattacks.

Name similarityMarketplace operators can attempt to detect similarityattacks by searching for applications with similar names

Marketplace Phishing Detection On-device Phishing PreventionSignature-

baseddetection

Namesimilarity

Visualsimilarity

Limitedmulti-tasking

Applicationname

Visualsimilarity

Personalindicator

attackssimilarity attack – + – – – + –forwarding attack – – + – + + +background attack + – + + + + +notification attack + – – + + – +floating attack – – – + + – +

securityfalse positives/negatives – – – + + – +

reliance on user alertness + + + + – + –usabilityuser effort at installation + + + + + + –user effort at runtime + + + + – + –restrictions on device functionality + + + – –1 + +significant performance overhead + + + + + – +

deploymentchanges to application provider (e.g., bank) + + + + + + +

changes to marketplace – –2 –2 + + + +changes to mobile OS + + + – – – +changes to application + + + + + + –1restriction to full-screen applications with constant user interaction (Android Immersive mode)2to check for phishing applications installed via sideloading

Table 1: Comparison of mechanisms to prevent application phishing attacks in mobile platforms. For each solution, a‘+’ represents a positive aspect, while a ‘–’ a drawback.

or icons. Since many legitimate applications have sim-ilar names or icons (e.g., banking applications for thesame bank in different countries), this approach wouldproduce a significant number of false positives. Detect-ing phishing applications in the marketplace does notrely on the user’s alertness or change the user experi-ence. Checking for phishing applications installed fromthe web or from third-party marketplaces (sideloading)could leverage the Google App Verification service [18].

Visual similarityThe marketplace operator can attempt to mitigate back-ground or forwarding attacks by searching for applica-tions with similar UIs and, in particular, similar loginscreens. UI extraction and exploration are challengingproblems and none of the known techniques providesfull coverage [2]. Another option is to perform visualsimilarity comparisons directly on the device. In [26]the authors propose periodically taking screenshots andcomparing them to the login screens of installed applica-tions. While this solution does not incur the problem ofUI extraction, it incurs a significant runtime overhead.

In general, if detection is based on matching UIs, phish-ing applications that use a slightly modified version ofthe legitimate application UI may go unnoticed. Findingan effective tradeoff (a similarity threshold) is a challeng-ing task and is likely to include both false positives andnegatives [26].

Limited multi-taskingAnother approach to counter background or floating at-tacks is to limit multi-tasking on the device. The legit-imate application can trigger a restricted mode of oper-

ation where no third-party applications can activate tothe foreground. Multi-tasking can be re-enabled oncethe user explicitly terminates the application. Activa-tion to the foreground can always be allowed for systemservices, to receive phone calls or SMS messages. Thisapproach does not rely on the user’s alertness but it re-quires changes to the OS and hinders the user experience.For example, a user cannot receive social network noti-fications while he is interacting with an application thatdisables multi-tasking.

Application nameThe mobile OS can show a status bar with the name ofthe application in the foreground [4, 35]. Phishing de-tection with this approach is effective only if the user isalert and the phishing application has a name and iconthat are noticeably different from the ones of the legiti-mate application. This technique cannot address namesimilarity attacks. Furthermore, the status bar reducesthe screen real estate for applications that run in full-screen mode. An approach where the status bar appearsonly when the user interacts with the application is onlypractical for applications with low interaction, such asvideo players (Android Lean Back mode). For applica-tions that require constant interaction, such as games(Android Immersive mode), forcing a visible status barwould hinder the user experience.

Personalized indicatorWhen the application is installed, the user chooses animage from his photo gallery. When the application asksthe user for his credentials, it displays the image chosenby the user at installation time. An alert user can detecta phishing attack if the application asking for his creden-

(a) (b)

Figure 1: (a) SecBank application for the baseline group.The application did not use personalized indicators. (b)SecBank application for the three experimental groups.The application displayed the personalized indicator cho-sen by the user on the login screen (i.e., the Mona Lisa).

tials does not show the correct image. The mobile OSprevents other applications from reading the indicatorof a particular application (through application-specificstorage). This countermeasure can also mitigate float-ing attacks. In particular, the legitimate application cancheck if it is running in the foreground and remove theimage when it detects that the application has lost focus(e.g., overriding the onWindowFocusChanged()method).Personal indicators can be easily deployed as they donot require changes to the OS or to the marketplace.However, they demand extra user effort at install time(because the user must choose the indicator) and duringapplication usage (because the user must check that theapplication displays the correct indicator).

SummaryOur analysis is summarized in Table 1. All the coun-termeasures we discuss incur trade-offs in effectiveness,usability, and deployment. Personalized indicators canaddress the many attack vectors and are easy to deployas they do not require changes on the device or at themarketplace. However, personalized indicators rely onthe user to detect phishing attacks.

Since smartphone applications are an increasingly im-portant access method for many security-critical servicessuch as e-banking; the user interface of mobile appli-cations is significantly different from those of standardwebsites; and personalized indicators have not been eval-uated in the context of smartphone applications, we de-cided to assess their effectiveness as a detection mecha-nism for mobile application phishing attacks.

USER STUDYThe goal of our user study was to evaluate the effective-ness of personalized indicators as a phishing-detectionmechanism for mobile applications. We focused on a

mobile banking scenario and implemented an applica-tion that allowed users to carry out e-banking tasks fora fictional bank called SecBank. As no bank currentlyuses indicators when the user performs a login operation,an evaluation in the context of a real deployment wasnot possible. The application had two components: abenign component that included the logic to log in andto carry out the banking tasks, and a malicious com-ponent that was in charge of carrying out the phishingattack. We used only one application to minimize theburden on the participants enrolling in our user study.That is, participants were asked to install only one ap-plication, rather than the banking application and an-other innocent-looking application that would performthe phishing attack.

In order to avoid participants focusing on the securityaspects of the study, we advertised it as a user study toassess the usability of a mobile application. We askedparticipants to install the SecBank application on theirphones and provided them with login credentials (user-name and password) to access their accounts at SecBank.We assigned each participant to either a baseline groupthat used a SecBank application without personalized in-dicators (Figure 1a), or one of three experimental groupsthat used it with personalized indicators (Figure 1b).The experimental groups differed by the type of phish-ing attack. The user study lasted one week. During thefirst three days, we asked participants to carry out one e-banking task per day, in order to familiarize participantswith the application. On the seventh day, we asked par-ticipants to perform a fourth e-banking task and, at thistime, the malicious component of the application per-formed a phishing attack. We recorded whether partici-pants entered their credentials while under attack.

Ethical guidelinesWe informed the participants that the application wouldrecord their input and have access to the photo gallery ontheir phones. We further explained that the applicationwould send no personal information to our servers. Wecollected the participants’ email addresses to send theminstructions on how to complete the e-banking tasks.The email addresses were deleted once the study wasfinished. At the end of the study, we briefed partici-pants about the true purpose and the methodology ofthe study. We notified the ethical board of our institu-tion which reviewed and approved our protocol beforewe started the user study.

Procedure

Recruitment and group assignmentWe recruited participants through an email sent to allpeople with an account at our institute (students, fac-ulty and university staff). The study was advertised asa user study to “test the usability of a mobile bankingapplication” without details of the real purpose of ourdesign. We offered a compensation of $20 to all partici-pants who completed the pre-test questionnaire.

(a) (b) (c)

Figure 2: (a) Missing-Image attack: The application does not show the indicator chosen by the user. (b) Random-Image attack: The application shows a random image from the local photo gallery (e.g., the Tower Bridge of London).(c) Maintenance attack: The application shows a message explaining that the indicator cannot be displayed due totechnical reasons.

We received 465 emails from potential participants towhom we replied with a link to an online pre-test ques-tionnaire designed to collect email addresses and demo-graphic information. 301 participants filled in the pre-test questionnaire. We assigned them to the followingfour groups (one baseline group and three experimentalgroups) in a round-robin fashion:

• Baseline Group (A): The application used by thisgroup did not use personalized indicators. On the lastday of the user study, the malicious component of theapplication showed an exact clone of the SecBank lo-gin screen. The baseline group allows us to evaluatehow many users, in a specific task, enter their creden-tials when shown a login screen that is identical tothe legitimate one. We use the baseline login rate asa reference for comparing observed login rates in theexperimental groups.

• Missing-Image Group (B): The application usedby this group supported personalized indicators. Onthe last day of the user study, the malicious componentof the application performed a phishing attack andshowed the SecBank login screen without the indicator(Figure 2a).

• Random-Image Group (C): The application usedby this group supported personalized indicators. Onthe last day of the user study, the malicious compo-nent of the application performed a phishing attackand showed the SecBank login screen with a photorandomly chosen from the local photo gallery. Thephoto displayed was different from the one chosen bythe user as the personalized indicator (Figure 2b).

• Maintenance Group (D): The application used bythis group supported personalized indicators. On thelast day of the user study, the malicious component

of the application performed a phishing attack andshowed the SecBank login screen with an “under main-tenance” notification in place of the indicator chosenby the user (Figure 2c).

We sent an email to all participants who completed thepre-test questionnaire with a link to a webpage fromwhich they could install the SecBank application [27].Participants in the Baseline Group (A) were directed toa webpage where we only explained how to install theapplication. Participants in experimental groups B, C,and D were directed to a webpage that also explained theconcept of personalized indicators. The webpage advisedthat participants should not enter their login credentialsif the application was not showing the correct indica-tor. The instructions were similar to the ones used inbanking websites that deploy indicators [3,37]. For com-pletenes, we report the full text shown to participants inthe experimental groups.

”As a major banking institution, SecBank is committedto prevent fraudulent smartphone applications from steal-ing your password. The SecBank mobile application usesa novel login mechanism based on personal images. Thefirst time you login, you will be asked to pick a personalimage from the photos stored in your phone. From thatmoment, the SecBank application will display your per-sonal image every time it asks for your username andpassword. The presence of the correct personal imageguarantees that you are not using a fraudulent look-alikeapplication. You should enter your username and pass-word only when you see your personal image. (Your per-sonal image remains on your phone and is not sent toour servers.)”

Figure 3 shows the screenshots of the SecBank applica-tion that were seen by participants in the experimental

(a) Step 1 (b) Step 2 (c) Step 3

Figure 3: Steps required to setup the Application Indicator in the SecBank application.

groups. The overlays (black boxes with yellow text) dis-appeared as soon as users interacted with the applica-tion. These screens were shown only once during thesetup phase, at the beginning of our user study.

276 participants visited the webpages and installed theSecBank application on their devices. After installation,the SecBank application for groups B, C, and D showedexplanatory overlays to guide participants in choosing apersonalized indicator from their photo gallery.

TasksThe study lasted one week. Participants were asked toperform four e-banking tasks on days 1, 2, 3, and 7.We sent instructions via email and asked participantsto complete the task within 24 hours [27]. The taskswere the following: Task 1 (Day 1): “Transfer $200 toAnna Smith”; Task 2 (Day 2): “Download the bankstatement from the Account Overview tab”; Task 3 (Day3): “Activate the credit card from the Cards tab”; Task4 (Day 7): “Transfer $100 to George White.”

The goal of tasks 1–3 was to help participants to be-come familiar with the SecBank application. We sentthe instructions to perform the last task four days after(including a weekend) the completion of task 3. Duringthis last task, the malicious component of the applicationperformed a phishing attack on all participants. Par-ticipants in the Baseline Group (A) saw a login screenthat matched that of their SecBank application. Par-ticipants in the Missing-Image Group (B) saw a loginscreen similar to the one of SecBank, but without anypersonalized indicator (Figure 2a). Participants in theRandom-Image Group (C) saw a login screen similar toSecBank, but with a random image from their photogallery (e.g., the Tower Bridge as shown in Figure 2b).Finally, participants in the Maintenance Group (D) saw

GenderMale 150 (68%)Female 71 (32%)AgeUp to 20 43 (20%)21 – 30 164 (74%)31 – 40 9 (4%)41 – 50 3 (1%)51 – 60 0 (0%)Over 60 2 (1%)Use smartphone to read emailsYes 214 (97%)No 7 (3%)Use smartphone for social networksYes 218 (99%)No 3 (1%)Use smartphone for e-bankingYes 97 (44%)No 124 (56%)

Table 2: Demographic information of the 221 partici-pants that completed all tasks.

a message explaining that for technical problems the in-dicator could not be displayed (Figure 2c). In order tounderstand if participants fell for the phishing attack,during the last task, we recorded which users enteredtheir credentials and which, instead, closed the applica-tion without entering their credentials.

ResultsOut of 276 participants that installed the application,221 completed all tasks. We provide their demographicsand other information collected during the pre-test ques-tionnaire in Table 2. The majority of the participantswere male (68%) and thirty years old or younger (94%).Most participants used their smartphone to read emails

Attack notsuccessful

Attacksuccessful

Baseline Group(A) 0 (0%) 56 (100%)

Missing-ImageGroup (B) 30 (55%) 25 (45%)

Random-ImageGroup (C) 23 (41%) 33 (59%)

MaintenanceGroup (D) 29 (54%) 25 (46%)

Experimentalgroups combined 82 (50%) 83 (50%)

Table 3: Success rate of the phishing attack.

Attack notsuccessful

Attacksuccessful

GenderMale 59 (52%) 54 (48%)Female 23 (44%) 28 (56%)AgeUp to 20 15 (43%) 20 (57%)21 – 30 57 (48%) 61 (52%)31 – 40 6 (86%) 1 (14%)41 – 50 2 (67%) 1 (33%)51 – 60 0 (0%) 0 (0%)Over 60 2 (100%) 0 (0%)Use smartphone for e-bankingYes 41 (54%) 35 (46%)No 41 (46%) 48 (54%)Smartphone display size (diagonal)up to 4in 28 (58%) 20 (42%)from 4in to 4.5in 44 (45%) 54 (55%)from 4.6in to 5in 10 (53%) 9 (47%)

Table 4: Success rate of the phishing attack in relation togender, age, familiarity with mobile banking, and smart-phone display size.

(97%) and to access social networks (99%). Slightly lessthan half of the participants (44%) used their smart-phones for mobile banking.

The 221 participants that completed all tasks were dis-tributed as follows: 56 in the Baseline Group (A), 55 inthe Missing-Image Group (B), 56 in the Random-ImageGroup (C), and 54 in the Maintenance Group (D).1

Indicator effectivenessTable 3 shows the success rates for the phishing attackduring Task 4. All of the 56 participants in the BaselineGroup (A) entered their login credentials. 83 out of 165(50%) attacks in the experimental groups B, C, and Dwere successful.

To analyze the statistical significance of these results weused the following null hypothesis: “there will be no dif-1We note that, by chance, the participants that dropped outof the study were almost evenly distributed among the fourgroups.

ference in the attack success rate between users that usepersonalized indicators and users that do not use per-sonalized indicators”. A Chi-square test showed that thedifference was statistically significant (χ2(1, N = 221) =44.25, p < 0.0001) and thus the null hypothesis can be re-jected. We conclude that, in our user study, the deploy-ment of security indicators decreased the attack successrate and improved phishing detection.

Difference between attacksA closer look at the performance of participants ingroups B, C, and D reveals that: 30 out of 55 partic-ipants in the Missing-Image Group (B), 23 out of 56participants in the Random-Image Group (C), and 29out of 54 participants in the Maintenance Group (D)did not log in.

To analyze the success rates of the different attack typeswe used the following null hypothesis: “the three attacktypes we tested are equally successful”. A Chi-squaredtest showed no statistically significant difference in theattack success rates, and thus we fail to reject the nullhypothesis (χ2(2, N = 165) = 2.53, p = 0.282).

Other factorsWe performed post hoc analysis of our dataset to under-stand if there were any relationship between the attacksuccess rate and gender (χ2(1, N = 221) = 0.99, p =0.319), age group (χ2(4, N = 221) = 8.36, p = 0.079),smartphone display size (χ2(2, N = 221) = 5.40, p =0.369) or familiarity with mobile banking (χ2(1, N =221) = 1.98, p = 0.160). We did not find any statisticalsignificance for any of the factors we considered. Table 4provides the results break-down.

Finally, we report the mean time spent by participantssetting up the personalized indicator or logging in. Themean time spent setting up the indicator for participantsthat did not fall victim to the attack was 43s (±28s); themean time for participants that fell for the attack was46s (±28s). The mean time spent on the login screen forparticipants that did not fall victim to the attack was18s (±14s); the mean time for participants that fell forthe attack was 14s (±10s). The distribution of the timesspent while setting up the indicator and while logging inare shown in Figure 4a and Figure 4b, respectively.

Post-test questionnaireAt the end of the user study we asked participants tocomplete a short post-test questionnaire. In particularwe asked participants in the experimental groups if theywere familiar with security indicators prior to our userstudy and only 19% replied that they were.

We also asked them if they had noticed anything un-usual when logging in to complete Task 4 (the simulatedphishing attack). 23% of the participants did not noticeanything unusual, while 23% did not remember. 54% ofthe participants noticed something was wrong with theSecBank application while they were logging in. To those

0 20 40 60 80 100 120 140 160 1800

1

2

3

4

5

6

7

Num

ber

of

part

icip

ants Fell victim to phishing attack

0 20 40 60 80 100 120 140 160 180Time (s)

0

1

2

3

4

5

6

7

Num

ber

of

part

icip

ants Did not fall victim to phishing attack

(a) Personal indicator setup

0 20 40 60 80 1000

2

4

6

8

10

Num

ber

of

part

icip

ants Fell victim to phishing attack

0 20 40 60 80 100Time (s)

0

2

4

6

8

10

Num

ber

of

part

icip

ants Did not fall victim to phishing attack

(b) Login screen

Figure 4: Distribution of the time spent by participantssetting up the personalized indicator (a) and logging intothe SecBank application (b).

participants that noticed something wrong with the ap-plication, we also asked if they logged in and why (answerto this question was not mandatory.) 36% of them re-ported that they logged in and the reasons they providedmainly fell in two categories. Some users reported thatthey logged in because they were role-playing and didnot have anything to lose. We list some of their answersbelow:

“Because it is a test and I had nothing to lose or hide.”

“This should be a test and I thought that it was safe.”

“I knew this was a test product so there could not possi-bly be malware for it already. I just thought maybe youguys had some difficulties going on.”

Some users from the Maintenance Group (group D) re-ported that they logged in because they thought therewas a temporary bug in the application. This behavioursuggests that users expect bugs in IT systems and, there-fore, they are susceptible to attacks that leverage theunreliable view that people have of computer products.We list some of participants’ answers below:

“I thought it was a problem of the app that the image wasthere but just did not load. As it happens sometimes inSafari or other browsers.”

“I thought it was a temporary bug.”

“I thought that it was a system error.”

DISCUSSIONIn our study, the deployment of security indicators pre-vented half of the attacks. Our user study shows a sig-nificant improvement in the attack detection rate (50%),compared to previous studies in the context of websitephishing attacks (4% in [33] and 27% in [23]). Thepurpose of our study was not to reproduce these pre-vious studies but rather to evaluate security indicatorsin the context of smartphone applications as realisticallyas possible. Below we discuss how our results should beinterpreted in comparison to previous related studies andoutline directions for further studies that are needed togain better confidence on the effectiveness of personal-ized indicators.

Role-playingWhen designing our user study we kept the experimentas close to a real world deployment as possible. We askedparticipants to install the application on their phonesand avoided using web platforms for human intelligencetasks like Amazon Mechanical Turk (used in, for exam-ple, [23]). However, we could not leverage a real bankdeployment and its user base (as in [33]) because, to thebest of our knowledge, no bank is currently using per-sonalized indicators in its mobile banking application.

Previous work has shown that role-playing negativelyimpacts the effect of security mechanisms [33]. The re-sponses to the post-test questionnaire give reasons tobelieve that, due to role-playing, some participants mayhave logged in despite detecting the attack. It is likelythat role-playing increased the attack success rates inour study. A user study run in cooperation with a bank-ing institution willing to deploy personalized indicatorswould yield more accurate results.

Duration and security primingIn our study, the phishing attack happened seven daysafter the study participants had been primed about secu-rity and our study did not evaluate participants’ behav-ior at a later point in time. This study setup is similar toLee et al. [23] work, where 5 days passed between partic-ipants priming and the attack. In contrast, Schechter etal. [33] recruited customers of a real bank that had beenprimed at the time they had opened their bank account(possibly long before they took part in the user studyand the attack was tested). It is likely that compared toa real-world deployment, the recent security priming ofour user study decreased the attack success rates. Long-term studies in the context of mobile applications (po-tentially through a real-bank deployment) are needed toevaluate the effect of time between the security primingand the attack.

Population sampleParticipants were recruited within our institution acrossstudents, faculty and staff. Most participants were male(68%) and below 30 years old (94%). While our insti-tution attracts people from around the world, the largemajority of the participants were Swiss nationals. As ourinstitution has 16 departments we reached many partic-ipants that don’t have a computer security background.Also, many mobile banking users are relatively young [5],thus our sample overlaps with the expected user popula-tion. Further studies are nonetheless required to assesswhether our results generalize to different populations(e.g., with different age intervals, nationalities, etc.).

We did not ask participants whether they knew otherparticipants and whether they had discussed the study.While participants may influence each other’s behav-ior, we could not identify any particular relationship orcliques among participants.

Application deploymentIn our study, we distributed the victim application (e-banking app) and the phishing component in a single ap-plication, rather than using one victim application anda second application to launch the attack. Since thephishing attack was not launched from a separate appli-cation, our study did not evaluate whether participantscould detect the attack by UI lag when the phishing ap-plication gains control of the device screen.

The motivation behind this study design choice was two-fold. First, we minimized the participant burden dur-ing enrollment. Participants were asked to install onlythe SecBank application, rather than the banking ap-plication and a second innocent-looking application thatwould launch the attack. If participants had had to in-stall a second application (e.g., a weather forecast appli-cation) they may have become suspicious about its pur-pose. Second, previous work has shown that users tendto disregard slight animation effects when the phishingapplication gains control of the device screen [4]. Dueto this design choice, if a study participant decided toexamine the list of running background apps before en-tering his login credentials, our attack component wouldnot have been visible on this list, and thus such defensivemeasures are not applicable to our study.

Recruitment and task perceptionA common challenge in designing security-related userstudies is to avoid drawing participants’ attention to thesecurity aspects under evaluation. If participants arefocused on security, and hence more attentive to possiblethreats, the study results would say little about real-world users to whom security is typically not the primarygoal [13, 33]. As our goal was to assess the effectivenessof a security mechanism that has not yet been deployedin the context of smartphone applications, we could notavoid minimal security priming of the participants.

We advertised our study as one on “the usability of amobile banking application”. Similarly, the emails sent

to complete the tasks were solely focused on task com-pletion [27]. We cannot verify if some participants dis-covered the true goal of our study before we revealed it.However, the comments that participants entered in thepost-test questionnaire suggest that many participantsfocused on the usability of the application. We reportsome comments we received:

“The tasks were easy to perform, but it remained unclearfor me what you were exactly testing.”

“App easy to navigate and user-friendly.”

“The user interface was not so intuitive due to the lack ofspaces between buttons and the equality of all interfaceoptions/buttons.”

Attack implementationIn the phishing attacks where the UI showed no indicator(group B) or where it showed a maintenance message(group D), we removed the text that asked users to emailthe bank in case of a missing indicator. We kept thattext in the attack that showed a random image (groupC). The UI elements shown by the phishing applicationmight have influenced the reaction of the participantsand their willingness to enter their credentials. We didnot test how changes to the text or to other UI elementsaffect phishing detection. A potential direction for futurestudies is to understand how users react to small changesto the UI of an application.

Indicator placement and sizeThe SecBank application showed the personalized indi-cator right above the username and password fields, tak-ing up roughly one third of the screen. The size andthe placement of the personalized indicator within theUI may have an impact on the attack detection rate. Inthe context of websites designed for PC platforms, Leeet al. [23] show that the size of the indicator does notchange the effectiveness of personalized indicators as aphishing-detection mechanism. An interesting directionfor future work would be to look at alternative types ofindicators (e.g., interactive ones) and compare them tothe ones used in this work.

DEPLOYMENT ASPECTSApplication and infrastructure changesFrom the point of view of a service provider, personalizedindicators can be easily deployed because they require nochanges to the marketplace or to the mobile OS. Intro-ducing personalized indicators only requires a softwareupdate of the client application (application updatesare frequent throughout an application lifecycle) and nochanges to the server-side infrastructure of the applica-tion provider (i.e., the bank). The mobile applicationmay guide the user through the indicator setup. Othersolutions, as those presented earlier on, require eitherchanges to the mobile OS or to the marketplace infras-tructure. A service provider (e.g., a bank) can thereforeadopt this security mechanism independently of otherservice providers or of the mobile platform provider.

Indicator choice and reusePersonalized indicators may be used for phishing detec-tion by security-critical applications. If indicators areadopted by multiple applications, users might tend toreuse the same indicator across different applications.This behaviour may provide an attack vector where theattacker develops an application that requires personal-ized indicators, and hopes that the victim user choosesthe same indicator that he had chosen for his bankingapplication. The problem of reusing personalized indica-tors across applications is comparable to the problem ofreusing passwords across online services. We note thatthe deployment of personalized indicators would mostlikely be limited to few security-critical services, whileusers often have to manage passwords for a large num-ber of services and websites.

Similar to password reuse scenarios, users might choosedifferent personalized indicators for “categories” of appli-cations. That is, a particular picture for security criti-cal applications (e.g., banking, email) and another pic-ture for less critical applications (e.g., social networks).Furthermore, when users are asked to pick a personal-ized indicator, they might choose among the picturesthat are at the top of the list (e.g., the ones that weremost recently added to the photo gallery). Therefore,the probability that a picture is selected as the person-alized indicator may not be uniform across all picturesin the photo gallery.

Since in our study we did not collect information on theindicators chosen by the participants, further studies arerequired to explore users’ behavior and patterns in choos-ing personalized indicators.

RELATED WORKMobile application phishing attacks have been describedin recent research [4, 7, 15, 40] and several attacks havebeen reported in the wild [11,14,34]. Proposed counter-measures are primarily attack specific, i.e., they iden-tify an attack vector and try to restrict or monitoraccess to the device functionality that enables the ex-ploit [7, 21,40].

A systematic evaluation of application phishing attackswas recently provided in [4]. The authors use static anal-ysis to detect applications using APIs that enable certainclasses of application phishing attacks. They also intro-duce an on-device solution that allows users to identifyapplications with which they are interacting. In the pro-posed solution, the OS displays a status bar that showsthe application and developer names together with animage chosen by the user. The image, therefore, is usedby the user to distinguish the authentic status bar man-aged by the OS from a fake status bar that a phish-ing application can show if it gains control of the entirescreen. Compared to personalized indicators, the pro-posed solution incurs more deployment costs, since itrequires changes to the OS and the marketplace. Theauthors of [4] also use Amazon Mechanical Turk to run

a user study with 304 participants, and assess the effec-tiveness of phishing attacks in mobile platforms. Theuser study corroborates our findings on personalized in-dicators, although the authors placed the image in thenavigation bar rather than in the application itself. Fur-thermore, the user study in [4] was a one-off test that didnot last for a week and, compared to ours, let partici-pants interact with an emulated Android device througha web-browser rather then letting participants use theirphones in their own typical setting.

Several anti-phishing mechanisms have been proposed(and also deployed) for the web. Countermeasures in-clude automated comparison of website URLs [28], visualcomparison of website contents [6, 41], use of a separateand trusted authentication device [30], personalized indi-cators [9,23,33], multi-stage authentication [19], and at-tention key sequences to trigger security checks on web-sites [39]. Despite the many proposed countermeasures,web phishing remains an open problem [10, 20]. Whilesome of these mechanisms are specific to the web envi-ronment, others could be adapted also for mobile appli-cation phishing detection. Website phishing in the con-text of mobile web browsers has been studied in [29,32].

Previous research on the effectiveness of security indica-tors has mostly focused on phishing and SSL warningson the web. Studies in this context have shown thatusers tend to ignore security indicators such as personal-ized images [23,33] or toolbars [22,38]. Browser securitywarnings (e.g., for an invalid server certificate) have beenshown to be effective on recent browser versions [1], whileprevious studies on older browser warning implementa-tions found the security warnings ineffective [10,12,36].

CONCLUSIONPhishing attacks are an emerging threat for mobile ap-plication platforms and the first successful attacks havealready caused significant financial losses. Personalizedindicators are a well-known countermeasure to addressthe problem of phishing, but previous studies in the con-text of websites have shown that indicators fail to pre-vent the majority of attacks. In this paper we report ourfindings from the first user study on smartphones thatevaluates the effectiveness of personalized security indi-cators for mobile applications. Our preliminary resultsshow that in the new context of smartphones applica-tions, personalized indicators could help users detectingapplication phishing attacks.

We conclude that personalized indicator can be an ef-fective mean to thward application phishing attacks andfurther studies are needed to fully understand their ben-efits in new deployment models such as in mobile appli-cations.

REFERENCES1. Devdatta Akhawe and Adrienne Porter Felt. 2013.

Alice in Warningland: A Large-scale Field Study ofBrowser Security Warning Effectiveness. In

USENIX Conference on Security (USENIX’13).257–272.

2. Tanzirul Azim and Iulian Neamtiu. 2013. Targetedand Depth-first Exploration for Systematic Testingof Android Apps. In International Conference onObject Oriented Programming Systems Languagesand Applications (OOPSLA’13). 641–660.

3. Bank of America. 2006. SiteKey Authentication.(2006). https://www.bankofamerica.com/privacy/online-mobile-banking-privacy/sitekey.go (last access 2015).

4. Antonio Bianchi, Jacopo Corbetta, Luca Invernizzi,Yanick Fratantonio, Christopher Kruegel, andGiovanni Vigna. 2015. What the App is That?Deception and Countermeasures in the AndroidUser Interface. In IEEE Symposium on Securityand Privacy (S&P’15).

5. Board of Governors of the Federal Reserve System.2015. Consumers and Mobile Financial Services2015. (2015).http://www.federalreserve.gov/econresdata/consumers-and-mobile-financial-services-report-201503.pdf (lastaccess 2016).

6. Teh-Chung Chen, Scott Dick, and James Miller.2010. Detecting Visually Similar Web Pages:Application to Phishing Detection. ACM Trans.Internet Technol. 10, 2 (2010), 1–38.

7. Erika Chin, Adrienne Porter Felt, Kate Greenwood,and David Wagner. 2011. AnalyzingInter-application Communication in Android. InInternational Conference on Mobile Systems,Applications, and Services (MobiSys’11). 239–252.

8. Thomas Davies and Ashweeni Beeharee. 2012. TheCase of the Missed Icon: Change Blindness onMobile Devices. In Proceedings of the SIGCHIConference on Human Factors in ComputingSystems (CHI’12). 1451–1460.

9. Rachna Dhamija and J. D. Tygar. 2005. The BattleAgainst Phishing: Dynamic Security Skins. InSymposium on Usable Privacy and Security(SOUPS’05). 77–88.

10. Rachna Dhamija, J. D. Tygar, and Marti Hearst.2006. Why Phishing Works. In SIGCHI Conferenceon Human Factors in Computing Systems(CHI’06). 581–590.

11. Digital Trends. 2013. Do not use iMessage chat forAndroid, it’s not safe. (2013).www.digitaltrends.com/mobile/imessage-chat-android-security-flaw/ (last access 2016).

12. Serge Egelman, Lorrie Faith Cranor, and JasonHong. 2008. You’Ve Been Warned: An EmpiricalStudy of the Effectiveness of Web Browser PhishingWarnings. In Proceedings of the SIGCHIConference on Human Factors in ComputingSystems (CHI ’08). 1065–1074.

13. Serge Egelman, Jennifer King, Robert C. Miller,Nick Ragouzis, and Erika Shehan. 2007. SecurityUser Studies: Methodologies and Best Practices. InExtended Abstracts on Human Factors inComputing Systems (CHI EA’07). ACM,2833–2836.

14. F-secure. 2010. Warning On Possible AndroidMobile Trojans. (2010).www.f-secure.com/weblog/archives/00001852.html (lastaccess 2016).

15. Adrienne Porter Felt and David Wagner. 2011.Phishing on Mobile Devices. In Web 2.0 Securityand Privacy Workshop (W2SP’11). 1–10.

16. Forbes. 2015. Alleged “Nazi” Android FBIRansomware Mastermind Arrested In Russia.(2015). http://www.forbes.com/sites/thomasbrewster/2015/04/13/alleged-nazi-android-fbi-ransomware-mastermind-arrested-in-russia/ (last access 2016).

17. Google Inc. 2012. Android and Security. (2012).http://googlemobile.blogspot.ch/2012/02/android-and-security.html (last access 2016).

18. Google Inc. 2016. Protect against harmful apps.(2016).https://support.google.com/accounts/answer/2812853(last access 2016).

19. Amir Herzberg and Ronen Margulies. 2012. MyAuthentication Album: Adaptive Images-BasedLogin Mechanism. In Information Security andPrivacy Research. 315–326.

20. Jason Hong. 2012. The state of phishing attacks.Commun. ACM 55, 1 (2012), 74–81.

21. Jie Hou and Qi Yang. 2012. Defense AgainstMobile Phishing Attack. (2012). www-personal.umich.edu/~yangqi/pivot/mobile_phishing_defense.pdf (lastaccess 2016).

22. Collin Jackson, Daniel R Simon, Desney S Tan, andAdam Barth. 2007. An evaluation of extendedvalidation and picture-in-picture phishing attacks.In Financial Cryptography and Data Security.281–293.

23. Joel Lee, Lujo Bauer, and Michelle L. Mazurek.2014. Studying the effectiveness of security imagesin Internet banking. IEEE Internet Computing 13,1 (2014).

24. Chia-Chi Lin, Hongyang Li, Xiaoyong Zhou, andXiaoFeng Wang. 2014. Screenmilker: How to MilkYour Android Screen for Secrets. In Network andDistributed System Security Symposium (NDSS’14).

25. MacRumors. 2014. ’Masque Attack’ VulnerabilityAllows Malicious Third-Party iOS Apps toMasquerade as Legitimate Apps. (2014).http://www.macrumors.com/2014/11/10/masque-attack-ios-vulnerability/ (last access 2016).

26. Luka Malisa, Kari Kostiainen, and Srdjan Capkun.2015. Detecting Mobile Application SpoofingAttacks by Leveraging User Visual SimilarityPerception. (2015). Cryptology ePrint Archive:Report 2015/709.

27. Claudio Marforio, Ramya Jayaram Masti, ClaudioSoriente, Kari Kostiainen, and Srdjan Capkun.2016. Supplementary Material - Evaluation ofPersonalized Security Indicators as anAnti-Phishing Mechanism for SmartphoneApplications. (2016). http://www.smartphoneuserstudy.com/supplementary_chi16.pdf(last access 2016).

28. Max-Emanuel Maurer and Lukas Höfer. 2012.Sophisticated Phishers Make More SpellingMistakes: Using URL Similarity against Phishing.In International Conference on Cyberspace Safetyand Security (CSS’12). 414–426.

29. Yuan Niu, Francis Hsu, and Hao Chen. 2008.iPhish: Phishing Vulnerabilities on ConsumerElectronics. In Conference on Usability,Psychology, and Security (UPSEC’08). 1–8.

30. Bryan Parno, Cynthia Kuo, and Adrian Perrig.2006. Phoolproof Phishing Prevention. InInternational Conference on FinancialCryptography and Data Security (FC’06). 1–19.

31. Ronald A Rensink. 2002. Change detection. Annualreview of psychology 53, 1 (2002), 245–277.

32. Gustav Rydstedt, Baptiste Gourdin, Elie Bursztein,and Dan Boneh. 2010. Framing Attacks on SmartPhones and Dumb Routers: Tap-jacking andGeo-localization Attacks. In USENIX Workshop onOffensive Technologies (WOOT’10). 1–8.

33. Stuart E. Schechter, Rachna Dhamija, AndyOzment, and Ian Fischer. 2007. The Emperor’sNew Security Indicators. In IEEE Symposium onSecurity and Privacy (S&P’07). 51–65.

34. Secure List. 2013. The Android Trojan Svpeng nowcapable of mobile phishing. (2013).

www.securelist.com/en/blog/8138/The_Android_Trojan_Svpeng_now_capable_of_mobile_phishing (last access2016).

35. Marcel Selhorst, Christian Stüble, FlorianFeldmann, and Utz Gnaida. 2010. Towards atrusted mobile desktop. In InternationalConference on Trust and Trustworthy Computing(TRUST’10). 78–94.

36. Joshua Sunshine, Serge Egelman, HazimAlmuhimedi, Neha Atri, and Lorrie Faith Cranor.2009. Crying Wolf: An Empirical Study of SSLWarning Effectiveness.. In USENIX SecuritySymposium. 399–416.

37. The Vanguard Group. 2006. Vanguard EnhancedLogon. (2006). http://www.vanguard.com/us/content/Home/RegEnhancedLogOnContent.jsp (last access 2015).

38. Min Wu, Robert C. Miller, and Simson L.Garfinkel. 2006a. Do Security Toolbars ActuallyPrevent Phishing Attacks?. In Proceedings of theSIGCHI Conference on Human Factors inComputing Systems (CHI ’06). 601–610.

39. Min Wu, Robert C. Miller, and Greg Little. 2006b.Web Wallet: Preventing Phishing Attacks byRevealing User Intentions. In Symposium on UsablePrivacy and Security (SOUPS’06). 102–113.

40. Zhi Xu and Sencun Zhu. 201. Abusing NotificationServices on Smartphones for Phishing andSpamming. In USENIX Workshop on OffensiveTechnologies (WOOT’12). 1–11.

41. Yue Zhang, Jason I. Hong, and Lorrie F. Cranor.2007. Cantina: A Content-based Approach toDetecting Phishing Web Sites. In InternationalConference on World Wide Web (WWW’07).639–648.

42. Yajin Zhou, Zhi Wang, Wu Zhou, and XuxianJiang. 2012. Hey, You, Get Off of My Market:Detecting Malicious Apps in Official andAlternative Android Markets. In Network and

Distributed System Security Symposium (NDSS’12).