TL;DR it's possible to detect where you tapped on your phone screen somewhat reliably. Theoretically, someone could develop an app to associate screen location taps to keys and could pick out a password. Authors suggest phone manufacturers should limit access to accelerometers to prevent the attack.
This is extremely contrived and would take a shitload of skilled work to get right. It's way easier to make a phishing page coupled with social engineering to get what you want.
I think step counters depend on being able to read accelerometer data. You might be able to add enough noise to the signal to make tap localization impossible while still keeping steps detectable, but that requires careful tuning.
On iOS at least, most ‘step counter’ apps don’t acually do the step counting - they just pull the data from HealthKit, as the phone is already tracking them.
Oh my mistake, it was actually I who misread the first comment.
Regardless, I don't think a screen tap logger would be necessary in many cases, since you could just open the keyboard on the phone and manually check the bounding boxes for each key.
Making this work on N phones would be more difficult, but not unfeasible. You'd probably just need to know a few things about the phone (resolution, screen size), and it wouldn't be hard to find that information.
Would be especially easy to just target the limited iPhone line.
Is this why most password entry forms in Android do not allow use of the Swype-type keyboard? I always thought that was strange. Now it makes more sense....backdooring
Wouldn't that have more to do with passwords not being proper words? Swiping is like autocomplete, f7_4sl+lsS$@q.. can't imagine swiping something like that.
This is extremely contrived and would take a shitload of skilled work to get right. It's way easier to make a phishing page coupled with social engineering to get what you want.