A Defense Against Shoulder Surfing on Mobile Chat Applications

Catherine, a developer living in Silicon Valley, takes public transport from Fremont to San Francisco every day. Just like many other techies in town, she uses the latest smartphone and spends a quality amount of time on Telegram. Her phone has the latest security mechanisms and all the software updates installed. However, all these security measures mean nothing the moment she opens her phone to check her new messages.

The people around her love to read stories, and they can’t help sneaking a peek over her shoulder at her phone screen. Of course, she could use privacy filters, but these are a big inconvenience at times. Peeling them off and reinstalling them every time she needs some privacy sure sounds crazy. On the other hand, she could always keep them on, but only by compromising the viewing angles on her phone, which she will regret when watching videos with friends.

What if she could chat without compromising on privacy or convenience? How about introducing software-based blur for enhancing the privacy of day to day applications? This is what Snow can do.

All of us use instant messaging apps, be it Telegram, WhatsApp, Snapchat, Skype, Hangouts or Facebook Messenger. Many of these services provide various security features, including end-to-end encryption. However, none of these services have protection against the basic problem of shoulder surfing. This means users are vulnerable to prying eyes while in crowded places.

This is applicable to other applications as well: e-mail clients, banking portals, FTP clients, and even Windows Explorer can all leak lots of information to prying eyes while being used in public places, like crowded public transit.

Snow is a new idea that messenger services, or any other applications, can incorporate into their products that may help protect users from shoulder surfing.

A normal chat window with Snow button added

Developers can add a ‘Snow’ button to their applications. When ‘Snow’ mode is activated, the application will immediately blur out all the text bubbles on the screen. The user can read the contents of a bubble by tapping on it when they are on phone, or by hovering over it if they are on desktop. The bubble will show its contents for 1500 milliseconds or less, before blurring again.

A chat window with Snow activated

Tapping on a chat bubble will show its contents for 1500ms or less

This way, someone standing beside you won’t be able to collect as much information as they would normally. This can help boost the privacy already offered by the application being used.

There is a high demand for privacy while chatting in public places, as shown by filters selling like hotcakes on Amazon. Compared to physical privacy screen guards, Snow is a more accessible and convenient solution since it is fully software-based. Snow can also be used in web applications or desktop applications, where it can temporarily hide email recipient lists, subject lines, usernames, email addresses, etc., while users are accessing them from public places.

Wouldn’t it be nice to show an email on your computer to your colleague without also showing them your chat list and personal messages? Wouldn’t it be nice to open D:Documentsq4-growth.xlsx without showing the audience the content of the parent folders?

It’s important to understand that Snow does not improve the security applications or data as such, but rather, it is just a potential method to improve privacy in crowded places. This method is also not a 100% effective solution for shoulder surfing since others can still read what you are typing on the screen. Inconveniences aside, privacy filters are still a more foolproof solution.

But when it comes to finding the best combination of usability, convenience, lightness, and effectiveness, Snow could be the winner.

Authored by Abhi M Balakrishnan, Security Consultant at Security Compass.