1 Introduction

Mobile computing devices are ubiquitous nowadays. Especially, users increasingly use their mobile devices, e.g. smartphones, tablets, smartwatches, to manage their personal private or even mission critical data. To protect the confidentiality of sensitive data, full disk encryption (FDE) has been integrated into major mobile operating systems including Android [1] and iOS [2]. The FDE can encrypt/decrypt data at the disk level, so that the attacker will not be able to access the plaintext of the sensitive data without having access to the secret key. The FDE however, can only defend against a passive attacker which tries to steal sensitive data from external storage [3]. It cannot defend against an active attacker which can capture the device owner and force him/her to disclose the secret key. This type of coercive attacks can be found broadly in real world. For example, a journalist uses a mobile device to collect criminal evidence of atrocities in a region of oppression, and stores the evidence encrypted; when he/she crosses the border, a border inspector may notice the encrypted ciphertext and require him/her to hand in the decryption key [4].

Plausibly deniable encryption (PDE) has been designed to ensure confidentiality of sensitive data against the coercive attacks. PDE can allow a victim user to deny the existence of the sensitive data upon being coerced. Its rationale is, data are encrypted in a special way so that, sensitive private data will be revealed only if a true key is used for decryption but, if a decoy key is used, only non-sensitive public data will be disclosed; when a device owner is coerced, he/she can simply disclose the decoy key and, using the decoy key, the attacker can only obtain the public data which are non-sensitive, but will be unaware of the existence of the sensitive data which are stored hidden. The concept of PDE has been implemented broadly in mobile computing devices [3,4,5,6,7,8,9,10,11,12,13] to protect hidden sensitive data against coercive attacks.

In regions of conflict or oppression, smartwatches and other wearable devices are a more convenient option for capturing criminal evidence, such as taking photos or recording videos, while avoiding detection by the perpetrator. This is because, compared to smartphones and tablets, wearable devices are less conspicuous and easier to use discreetly. However, the PDE system for wearable devices is missing in the literature. The existing mobile PDE system designs may not fit wearable devices because: First, most of them [4,5,6,7,8,9, 12] are specifically designed for smartphones. They require the user to enter the password, which will be used to generate the key via PBKDF2 (Password-Based Key Derivation Function 2 [14]). While it may be practical to input a plain-text password on a smartphone, it is not as user-friendly when it comes to wearable devices. For example, a smartwatch has a small screen and, entering a plain-text password is very inconvenient. Second, they require changing either the firmware of the underlying flash storage medium [3, 8, 15,16,17], or the operating system [4,5,6,7, 9,10,11, 15], and hence are difficult to be deployed in today’s wearable devices. Third, they mostly rely on the hidden volume technique [3,4,5,6,7, 9,10,11, 15] or the dummy write technique [12, 18] for plausible information hiding. Both techniques hide sensitive data among randomness, suffering from several limitations: (1) Filling the randomness will cause expensive extra overhead. (2) An implied assumption needs to be made that, filling the randomness itself is a normal behavior and will not lead to compromise of PDE.

In this work, we aim to design a PDE system which can be used to protect hidden sensitive data in wearable devices. We try to avoid changing the operating system or the storage firmware. Instead, our design can be easily installed as an app and hence can be easily deployed by users. Our design relies on two key insights: First, we use image steganography which can be deployed conveniently at the application layer. Wearable devices like smartwatches today are increasingly used to process images, e.g., they are increasingly equipped with cameras [19, 20] for capturing images/videos, or they can easily download Internet images and view them locally [21, 22], etc. Having observed that an image is commonly bound together with a digital watermark for intellectual property protection and, we rely on the digital watermarking to hide sensitive information. Our idea is, we use image steganography to embed sensitive data into the images stored in the wearable devices and, if the adversary identifies anything abnormal and coerces the victim, the victim can simply deny the sensitive data as the watermarks embedded into the images. To defend against a multi-snapshot adversary which can have access to the victim device at multiple checkpoints over time, upon changing the hidden sensitive data, the new data should be embedded into a new image via image steganography. A salient advantage of our design is eliminating the overhead required for filling the randomness, and removing the assumption that filling the randomness is a normal system behavior. Second, we carefully adapt the designed PDE system to the hardware of wearable devices. A PDE system usually requires the user to enter some secrets, i.e., a low-security-level secret like the decoy key, and a high-security-level secret like the true key. In a wearable device however, the screen is small in size, rendering it impractical to enter the secret using a touchscreen. Therefore, we utilize common sensors equipped with the wearable device to enter the secret.

Contributions We summarize our major contributions as follows:

  • We have designed \(\textsf{MobiWear}\), the first application-layer PDE system for wearable mobile computing devices, by combining the concept of PDE, image steganography, as well as digital watermarking, and adapting the design to the hardware of wearable devices. Our design can defend against a strong multi-snapshot adversary.

  • We have assessed the robustness of using gyroscope sensor to enter passwords/keys using an LG G smartwatch.

  • We have analyzed the security of \(\textsf{MobiWear}\). We also implemented a real-world prototype of \(\textsf{MobiWear}\) in the real smartwatch and evaluated its performance.

Compared to our conference version [23], major differences are: (1) The new design can defend against a stronger multi-snapshot adversary. On the contrary, the design in the conference version can only defend against a single-snapshot adversary. (2) We have assessed the robustness of using gyroscope sensor to enter keys using a real smartwatch. (3) We have assessed multiple image steganography techniques including LSB, DCT, and DWT, but the conference version only assessed the LSB. (4) We have updated the security analysis showing that the design can defend against the new multi-snapshot adversary.

2 Related work

Various plausibly deniable encryption storage systems have been designed in the literature. In the following, we categorize the existing designs in terms of the storage layer at which they are deployed. None of them have been designed for the application layer.

The block-layer PDE systems Anderson et al. [24] have designed two steganographic file systems. The first one is to hide sensitive data in cover files, which however, requires the system to store a large number of cover files. The second one is to fill the entire disk with random data and, to encrypt and hide the secret data in those random data. Based on the second design of Anderson et al., McDonald et al. designed StegFS [25], in which they extended a standard Linux file system (EXT2) with PDE support. Other steganographic file systems either allow users to selectively hide their directories/files [26] or provide deniability in multi-user environments [27].

TrueCrypt [28] and VeraCrypt [29] have initiated a new hidden volume technique to achieve plausible deniability. Skillen et al. [4, 5] proposed Mobiflage which first moved the hidden volume technique to mobile computing devices. Mobiflage requires the user to re-boot the device to enter the hidden mode, which is inconvenient. To mitigate this issue, Yu et al. proposed MobiHydra [6] which supports data hiding without the need of rebooting the device. MobiHydra also solved a boot-time attack on the Mobiflage. Chang et al. proposed Mobipluto [7, 9], a file system friendly PDE system such that any block-based file systems can be deployed on top of the public volume, without worrying about overwriting the hidden sensitive data. Having observed that the prior mobile PDE systems cannot defend against a multi-snapshot adversary, Chang et al. designed MobiCeal [12], which combines both the hidden volume technique and the dummy write technique to defend against multi-snapshot adversaries.

Some other block-layer PDE systems rely on write-only ORAM [30, 31] to ensure plausible deniability when facing the multi-snapshot adversaries.

The flash memory-layer PDE systems Jia et al. [3] have introduced DEFTL, which moved the hidden volume technique to the flash translation layer, eliminating the deniability compromises in the low-level flash memory medium. DEFTL can only defend against a single-snapshot adversary, and later designs [17, 18] can defend against the multi-snapshot adversary by leveraging WOM codes [17] or dummy writes [18].

The cross-layer PDE systems Peters et al. proposed DEFY [8], a flash file system enabling PDE. DEFY however, requires the support of the flash-specific file system YAFFS, which is rarely used today. Another flash file system INFUSE [16] also can ensure deniability. However, INFUSE also relies on YAFFS and, additionally, it requires the support of the flash memory hardware to program and operate the same flash memory cell as a single-level cell or a multi-level cell. Chen et al. have designed CrossPDE [15], the first cross-layer PDE system which is compatible with the mainstream FTL-based flash storage devices.

Other PDE systems Chakraborti et al. proposed Wink [32], a plausibly-deniable messaging system that enables users to communicate securely even under powerful surveillance or coercive adversaries. It operates by surreptitiously embedding hidden messages within the cryptographic randomness inherent in end-to-end encrypted messaging. Chen et al. proposed HiPDS [33], a hardware-independent PDE system. HiPDS combines Chameleon hash and trusted execution environment technique to defend against multi-snapshot adversary at both the storage and memory levels. Pinjala et al. proposed INVISILINE [34], an invisible PDE system designed for compatibility with the Linux dm-crypt disk encryption subsystem. INVISILINE employs a specific data layout and encoding to store hidden data within the initialization vectors used by dm-crypt to encrypt public data. This approach ensures that any disk changes can be plausibly attributed to changes in the public data resulting from the normal operation of dm-crypt. Liao et al. introduced FSPDE [35]. By leveraging the security features of ARM TrustZone and colloborating multiple storage sub-layers, FSPDE constitutes the first complete mobile PDE system design. This system is specifically engineered to counteract PDE vulnerabilities across the execution and storage layers of the mobile devices, as well as in cross-layer communications.

3 Background

3.1 Wearable mobile devices

A wearable mobile computing device is a mobile device which can be worn on the body. The wearable devices can be used for the purpose of general computing, as well as special purposes like fitness tracker. They usually integrate a few special sensors like accelerometers, gyroscopes, magnetometers, heart rate sensors, and pedometers. The most popular wearable device is the smartwatch. Besides the basic functionality of a regular watch, the modern smartwatch may include various extra peripherals to achieve “smartness”, e.g., digital cameras, tiny speakers, GPS receivers, pedometers, heart rate sensors, thermometers, accelerometers, altimeters, barometers, compasses, gyroscopes. Compared to a smartphone which is usually much larger in size and equipped with more powerful hardware (e.g., much larger touchscreens, more powerful processors, RAM, and batteries), the smartwatch is small in size and equipped with less powerful hardware, e.g., using small screens which do not well support user input, being equipped with less powerful processors, RAM, and batteries.

3.2 Plausibly deniable encryption

Plausibly deniable encryption (PDE) systems are designed to protect sensitive information when a device owner is coerced by an adversary. Upon being coerced, the device owner only reveals the decoy key which can be used to decrypt non-sensitive data. The actual secret key (i.e., true key) which can be used to decrypt the sensitive data will be kept confidential and therefore, sensitive data are protected.

Currently, there are two major techniques which can implement the PDE concept in systems, namely, the steganography [24] and the hidden volume. The steganography-based PDE system hides sensitive data in regular files or randomness arbitrarily filled. However, since the system which manages the public non-sensitive data should not know the existence of the hidden sensitive data and, therefore, the hidden sensitive data may be overwritten by the public data. To mitigate this overwrite issue, several copies of hidden sensitive data are usually maintained across the entire disk. The hidden volume-based PDE system hides the sensitive data in a hidden volume. Its idea is: initially, the entire disk is filled with random data, and two volumes, a public and a hidden volume, are created; the public volume stores the public non-sensitive data, which are encrypted with a decoy key and placed across the entire disk; the hidden volume stores the sensitive data, which are encrypted with a true key and placed at the end of the disk starting from a secret offset; the hidden volume is completely embedded in the empty space of the public volume and, the attacker cannot detect its existence since he/ she can not differentiate the encrypted hidden data from the randomness filled initially.

3.3 Image steganography

Image steganography is a technique commonly employed to conceal information within a cover image. The process involves storing secret data, such as texts or images, invisibly within the cover image, resulting in the creation of a stego-image. This stego-image can then be transmitted to a receiver, who will be unaware that it contains hidden information [36]. Upon receiving the stego-image, the receiver can extract the secret data with or without the use of a key [37]. The process is illustrated in Fig. 1.

Image steganography can generally conceal secret data in two domains: the spatial domain and the transform domain. The simplest technique used for image steganography in the spatial domain is the least significant bit (LSB) method. In an RGB image, each pixel comprises four channels: alpha (A), red (R), green (G), and blue (B), each occupying one byte. Alpha denotes the transparency value, while red, green, and blue represent the values of three different colors. The least significant bit, located at the end of each byte, has a minimal impact on the pixel value [38]. As a result, this bit can be utilized to conceal confidential data. In the transform domain, the commonly used techniques for image steganography are the discrete cosine transform (DCT [39]) and discrete wavelet transform (DWT [40]). The DCT-based method involves transforming an image from the spatial domain to the frequency domain. The image is then separated into three components: high, middle, and low frequencies. The low-frequency component typically contains the most critical visual elements of the image, whereas the high-frequency components are often removed during compression [41]. Therefore, to embed a message, the coefficients of the middle frequency components are usually modified since they have the least impact on image visibility. The DWT-based method is similar to the DCT-based approach, as it also involves splitting the signal into high and low-frequency parts. The high-frequency part contains information about the edge components, while the low-frequency part is further divided into high and low-frequency components. The high-frequency component is typically used for steganography since the human eye is less sensitive to changes in edges [42].

Fig. 1
figure 1

Image steganography

Full size image

3.4 Digital watermarking

Digital watermarking can reinforce the security of multimedia data, by providing a solution to ensure tamper resistance as well as ownership protection of intellectual property [43]. A simple type of image watermarking is to embed a logo, which is a visible watermark. This is usually used for public identification and recognition. Another type of image watermarking is to embed an invisible watermark, which has been used broadly in multimedia data (e.g., images, videos) to claim copyrights.

3.5 Structural similarity index measure (SSIM)

SSIM is a widely used image quality assessment metric that can evaluate the similarity between two given images. SSIM compares the two images via calculating the similarity between the corresponding pixels. The SSIM score ranges from 0 to 1, with score 1 indicating that the two images are identical. The SSIM of two images can be calculated via Eq. 1, where (1) \(\mu _x\), \(\sigma _x\) are the mean and standard deviation of the pixel values of x; and (2) \(\mu _y\), \(\sigma _y\) are the mean and standard deviation of the pixel values of y, and (3) \(\sigma _{xy}\) is the cross-covariance of the pixel values of x and y, and (4) \(C_1\) and \(C_2\) are constants added to avoid division by zero.

$$\begin{aligned} SSIM(x,y) = \frac{(2\mu _x\mu _y + C_1)(2\sigma _{xy}+C_2)}{(\mu _x^2+\mu _y^2+C_1)(\sigma _x^2+\sigma _y^2+C_2)} \end{aligned}$$
(1)

4 Model and assumptions

System model We consider a wearable mobile device, with its architecture shown in Fig. 2 [44, 45]. The device mainly consists of three layers. The application layer contains various user apps that directly interact with users and accept I/Os from users, e.g., an image viewer or editor. Our design is mainly deployed at the application layer. The operating system layer manages the device’s hardware resources, allowing the apps to use the hardware resources via the system APIs. A popular operating system is Wear OS [46]. The hardware layer contains the processor, the RAM, the flash storage, the sensors, etc. Note that a flash-based block device like an eMMC card is used broadly in wearable devices [47], in which the flash memory is managed internally by flash translation layer (FTL), exposing a regular block access interface.

Fig. 2
figure 2

The architecture of a wearable mobile device [44, 45]

Full size image

Adversarial model. We consider a computationally bounded adversary. The adversary is able to capture a victim user together with his/her mobile device at multiple checkpoints over time, i.e., a multi-snapshot adversary. The adversary suspects sensitive secret data are stored hidden in the device, and may coerce the victim user for the secret data.

Assumptions. We rely on a few assumptions as elaborated below:

  • The adversary is rationale and will stop coercing the victim user after being convinced that the secret has been disclosed. This is a common assumption for all the PDE designs [3, 4, 7, 12].

  • The adversary cannot capture a victim user when he/she is right processing the hidden sensitive data. Otherwise, the sensitive data can be obtained by the adversary trivially.

  • We assume the device is malware free. Otherwise, the malware can simply monitor the process of embedding hidden sensitive data and trivially compromise the deniability. This requires the device owner to be cautious, and should have its device scanned by anti-virus tools periodically to remove the malware if found.

  • The adversary can know the design of \(\textsf{MobiWear}\), but the available of \(\textsf{MobiWear}\) itself is not a red flag, considering \(\textsf{MobiWear}\) is widespread, e.g., it has been integrated with the mainstream distribution of the OS. This assumption is required in most of the prior mobile PDE systems [4, 6, 17]. Having the \(\textsf{MobiWear}\) app in the device does not indicate that the user will use it to store hidden sensitive data.

  • We mainly focus on data confidentiality and assume that the adversary will not make any alterations (e.g., smear the image content or modify the image name) on the images being caught.

  • The adversary is assumed to be.able to obtain both the original cover image and the stego-image (i.e., the resulted image after the sensitive data are embedded), and to perform steganalysis over them. The stego-image can be easily obtained once the wearable device is captured. The cover image may be obtained by the adversary considering that the cover image may be obtained from external sources, e.g., the device owner purchased it from others. However, the adversary is assumed to be not able to obtain the watermark image which is created locally by the device owner and has not been disclosed to the public (note that the watermark image should be deleted from the local storage once used). In addition, when encoding the sensitive data into the watermark, a state-of-the-art image steganography technique should be used.

5 MobiWear

5.1 Design overview

Given some secret sensitive data, the user will pick a cover image as well as a watermark image, and embed the secret sensitive data via two steps: (1) embedding the sensitive data into the watermark image using the true key, obtaining a stego-watermark; and (2) embedding the stego-watermark into the cover image using the decoy key, obtaining a stego-image. The stego-image will be kept in the wearable device, but both the cover image and the watermark image should be deleted. Extracting sensitive information from the cover image is the reverse operation of the embedding. Once both the decoy and the true key are available, the user can use the decoy key to extract the stego-watermark from the cover image, and then use the true key to extract the sensitive data from the stego-watermark.

If the user wants to update the sensitive data, he/she will first extract the sensitive data from the stego-image via both the decoy key and the true key; the user will then update the sensitive data, and embed the new sensitive data to a new cover image and watermark image, by repeating the embedding process via the same decoy/true key, generating a new stego-image. The old stego-image is then deleted. If the user wants to delete the sensitive data, he/she can directly delete the corresponding stego-image.

When the user is captured together with his/her wearable device, the adversary may notice that something is stored hidden in the stego-image. This is because the adversary may be able to obtain the original cover image (Sec. 4), and compare the stego-image with the cover image. The adversary will coerce the user for the hidden sensitive data. The user will disclose the decoy key and claim that there is a watermark embedded in the stego-image. Utilizing the decoy key, the adversary can successfully extract the watermark (i.e., the stego-watermark) from the stego-image. The adversary will not be able to notice anything special in the stego-watermark, if (1) the adversary does not have access to the actual watermark image (Sec. 4), and (2) the image steganography used to embed the sensitive data into the watermark image is secure.

5.2 Design details

5.2.1 Secret embedding and extracting

Embedding the secret sensitive data into the cover image follows two steps (Fig. 3): (1) We encrypt the sensitive data using the true key and, the resulted ciphertext will be embedded into the watermark image using image steganography with the true key, obtaining a stego-watermark; (2) We encrypt the stego-watermark using the decoy key and, the resulted ciphertext will be embedded into the cover image using image steganography with the decoy key, obtaining a stego-image. There are two unique design considerations of \(\textsf{MobiWear}\) in this process (Fig. 3): (1) The decoy and true keys are entered using sensors associated with the smartwatch, addressing the issue of data entry inconvenience associated with wearable devices. (2) Our design employs a two-step data hiding technique and relies on the watermark to obfuscate the existence of hidden sensitive data. Embedding sensitive data directly into the cover image is not feasible, as it can be extracted and decrypted when the device owner is coerced. In \(\textsf{MobiWear}\), the device owner can instead disclose the watermark upon being coerced, by giving up the decoy key.

Fig. 3
figure 3

The process of embedding the secret sensitive data, generating the stego-image

Full size image

Extracting the secret sensitive data from the stego-image follows two steps (Fig. 4): (1) Using the decoy key, we can extract the encrypted stego-watermark from the stego-image; the encrypted stego-watermark will be further decrypted via the decoy key, obtaining the plaintext of the stego-watermark. (2) Using the true key, we can extract the encrypted sensitive data from the stego-watermark; the encrypted sensitive data will be further decrypted via the true key, obtaining the plaintext of the sensitive data.

Fig. 4
figure 4

The process of extracting the secret sensitive data from the stego-image

Full size image

Selections of the image steganography techniques The image steganography is an active research area. The traditional LSB (Sec. 3.3) is efficient in both encoding and decoding, but would be susceptible to various steganalysis attacks [48]. We can always use LSB to encode the stego-watermark into the cover image, as the adversary can always identify the existence of the watermark by having access to the original cover image. Other more secure image steganography alternatives include DCT and DWT (Sec. 3.3) which work in the transform domain. They may be used to encode the sensitive data into the watermark image. Recently, the deep learning-based image steganography techniques [49,50,51,52] have been developed to defend against the more advanced adversaries which may use a deep learning-based steganalysis [53]. The user is always suggested to use the most recent steganography technique when encoding the sensitive data into the watermark image to avoid being compromised by the advanced adversaries. In the following, we elaborate both the encoding and decoding process of a few typical image steganography techniques via a key, which can be used as a building block of \(\textsf{MobiWear}\).

LSB-based encoding and decoding The steps for performing LSB encoding via a given key k are:

  • Encrypt the message via k, and add two special strings B and E to the beginning and the end of the encrypted message, generating the enhanced message P. B identifies the beginning of the message while E identifies the end of the message. Note that B and E should be generated using k and must be unique for different cover images (e.g., they can be generated by applying a cryptographic hash function h over the name of the cover image and key k, namely, \(B=h_k(name-of-image||1)\) and \(E=h_k(name-of-image||2)\)).

  • Convert P into a collection of l bits.

  • The content C of the cover image is viewed as a collection of bytes, and each bit of P is sequentially embedded into the least significant bit of each byte in C. This implies that l should be always no more than the length of C in bytes.

  • Save the modified cover image as the stego image.

The steps for performing LSB decoding via a given key k are:

  • Re-generate the special strings B and E via k.

  • Retrieve the image content C from the stego image.

  • Extract the least significant bit of each byte of C sequentially from the beginning, and the resulted bit is placed to P. The extraction process will terminate when B and E are both obtained.

  • Extract the sub-message stored between B and E from P, and decrypt the sub-message using key k.

DCT-based encoding and decoding The steps for performing DCT-based encoding via a given key k are:

  • Encrypt the message via k, and add two special strings B and E to the beginning and the end of the encrypted message respectively (how to generate B and E has been described previously).

  • Convert P into a binary format.

  • Divide the content of cover image into 8 × 8 non-overlapping pixels blocks.

  • Apply Discrete cosine transform (DCT) on each 8 × 8 pixel blocks. The DCT will transform each 8 × 8 pixel block into a 8 × 8 coefficients matrix. Let N be the total number of blocks, and \(C_i\) (i = 1, 2,..., N) denotes each 8 × 8 coefficients matrix. Quantization is then applied on \(C_i\) (i = 1, 2,..., N) through quantization table.

  • The coefficients in \(C_i\) can be viewed as a collections of bytes, and each bit of P is sequentially embedded into the least significant bit of each bytes in \(C_i\).

  • Apply the inverse DCT to obtain the stego image.

The steps for performing DCT-based decoding via a given key are:

  • Re-generate the special strings B and E via k.

  • Divide the content of stego image into 8 × 8 non-overlapping pixels blocks.

  • Apply DCT on each 8 x 8 pixel blocks to obtain the coefficients matrix \(C_i\) (i = 1, 2,..., N).

  • Quantization is then applied on \(C_i\) (i = 1, 2,..., N) through quantization table.

  • Extract the least significant bit of each byte in \(C_i\) from the beginning, and the resulted bit is placed to P. The extraction process will terminate when B and E are both obtained.

  • Extract the sub-message stored between B and E from P, and decrypt the sub-message using key k.

DWT-based encoding and decoding The encoding/decoding process of DWT is similar to that of the DCT. The only difference is that the DWT will divide the image into four sub-bands, LL, LH, HL, and HH. LH is the low frequency component while the others are high frequency components. Secret message is often hidden into the coefficients of high frequency components since it can provide better imperceptibility.

5.2.2 Entering keys to the wearable device

In \(\textsf{MobiWear}\), two different keys, a decoy key and a true key, are needed for \(\textsf{MobiWear}\). For usability, keys can be generated on the fly from the corresponding passwords using PBKDF2 [14]. Specifically, the decoy key can be derived from the decoy password, and the true key can be derived from the true password. A practical issue is, using a keyboard/touchscreen to enter passwords would be inconvenient for a wearable device. To address this issue, we rely on sensors equipped with the device. Sensors can measure the physical properties, producing output signals, which may be utilized to derive passwords. For example, a broadly equipped sensor of wearable devices is gyroscope, which can be used to measure the rotation rate of x-axis, y-axis, and z-axis; by wearing a smartwatch and rotating his/her wrist differently, a user may control the gyroscope to produce unique values, generating unique passwords and, by rotating the wrist in a similar manner, the user can re-generate the same password.

To confirm the gyroscope signals can be used to re-generate the passwords robustly, we have tested the gyroscope sensor in an LG G watch [54]. The gyroscope is used to measure the rate of rotation in radian per second around a device’s x, y, and z axis. The rotation angel can be measured via integrating the output of gyroscope over time [55] (note that the rotation angle can be also measured by the orientation sensor, which however, has been deprecated since Android 2.2 [56]). We picked different rotation angles, and checked whether we can re-generate those angles using the LG G watch. In practice, to exactly generate a given angle by rotating the smart watch is difficult. Therefore, we introduced a threshold, which means, if the difference between the measured angle and the give angle is no more than the threshold, they are treated as equal. The experimental results are shown in Tables 1, 2, and 3, which correspond to threshold 0.5\(^{\circ }\), 1\(^{\circ }\) and 2\(^{\circ }\). The results confirm the robustness of using gyroscope signals to re-generate the key.

Table 1 Threshold = 0.5\(^{\circ }\). 5.5\(^{\circ }\) with threshold 0.5\(^{\circ }\) means when the input is 5\(^{\circ }\le\) x < 6\(^{\circ }\), it will be recognized as 5.5\(^{\circ }\) (a similar rule is applied to other values). \(\surd\) indicates we can successfully re-generate the password from the corresponding gyroscope signal under the threshold
Full size table
Table 2 Threshold = 1\(^{\circ }\)
Full size table
Table 3 Threshold = 2\(^{\circ }\)
Full size table

5.2.3 User steps

The use steps are shown in Fig. 5. The user is required to enter the decoy password first and, if the decoy password is correct, \(\textsf{MobiWear}\) will wait for a certain amount of time (e.g., a few seconds). During this time interval, the user can enter the true password and, if the true password is entered within this time period and it is correct, the secret sensitive data will be extracted and displayed; otherwise, the stego-watermark will be displayed. The password is a combination of three-dimension values received from the gyroscope. We denote the password as x.y.z, where x, y, and z represent the value measured from the x, y, and z axes of the gyroscope, respectively. During the checking process, we compare each component (i.e., x, y, or z) of the password separately. The checking will be successful if all the three components are correct (i.e., the difference between the measured value and the stored value is less than the threshold). Although there is a short delay after entering the decoy password, this can be simply denied as the system delay due to the limited computational power of a wearable device.

Fig. 5
figure 5

User steps

Full size image

6 Security analysis and discussion

6.1 Security analysis

After having captured a victim wearable device, the adversary can obtain the stego-images from the device.

For each stego-images, the adversary can obtain the corresponding cover image according to our assumption (Sec. 4). By comparing the cover image with the stego-image, the adversary can find out they are different and may suspect secret data are stored hidden in the stego-image. A coercive attack is then performed by the adversary. The victim user will disclose the decoy key and claim that there is an invisible watermark stored hidden in the stego-image. By entering the decoy key to \(\textsf{MobiWear}\), the adversary will be able to obtain the stego-watermark which is non-sensitive.

The adversary may further analyze the extracted stego-watermark. Note that the adversary cannot have access to the original watermark according to our assumption (Sec. 4). Therefore, the adversary can only perform steganalysis over the stego-watermark, hoping to identify the existence of the hidden sensitive data. This would not be feasible if a secure image steganography technique is used for encoding the sensitive data into the watermark.

Having obtained multiple snapshots over the victim device does not provide the adversary extra advantage of compromising the deniability. Totally, there are three cases which may lead to changes of the stego-images stored in the victim device: (1) To write new hidden sensitive data, the user will simply embed them into a new cover image/watermark image. (2) To update the hidden sensitive data, the user will embed the new sensitive data to a new cover image/watermark image, and delete the old stego-image which stores the old sensitive data. (3) To delete the hidden sensitive data, the user will simply delete the corresponding stego-image. By comparing different snapshots, the adversary may observe that images have been added and removed over time, regardless of which operations (or a combination of operations) have been performed for the hidden sensitive data. This however, is not a suspicious behavior.

6.2 Discussion

Avoid directly using watermark images for plausible information hiding We should not embed the sensitive data into the watermark images and then directly store the watermark images in the wearable devices. This is because: Typically, a watermark image is specially designed to identify the ownership of a image and, having a lot of watermark images directly stored in the wearable devices itself is a suspicious behavior; however, it is normal if the watermark images are embedded into the cover images.

Deniability compromises in the memory Hidden sensitive data may leave traces in the memory and the processor cache. By having access to those places, the adversary may identify the existence of the hidden sensitive data, compromising the deniability. An immediate mitigation strategy is to power-off the device to remove the traces of hidden sensitive data in the volatile RAM. This would be problematic due to the retention effects of RAM [57]. Other mitigation strategies would be processing the hidden sensitive data in a secure memory region isolated by ARM TrustZone [18].

Mitigating data corruptions A PDE system has been designed for ensuring the confidentiality of the sensitive data. It cannot prevent data from being corrupted as the adversary can capture and fully control the victim device. To mitigate corruptions of hidden sensitive data, the user is suggested to periodically back up them to other computing devices.

Image quality of steganography Image quality is a critical criterion for evaluating the performance of steganography. It is closely related to the amount of secret data concealed within the cover image. For the LSB technique, experimental findings from [58] suggest that a secret data ratio of 12.5\(\%\) achieves the best image quality, as measured by Mean Square Error (MSE) and Peak Signal-to-Noise Ratio (PSNR). Compared to the LSB technique, other methods like DCT-based image steganography can enhance image quality while preserving the same ratio of secret data [59].

7 Implementation and evaluation

Implementation We have implemented a prototype of \(\textsf{MobiWear}\) in the LG G watch. A demo of our prototype can be found in [60]. The LG G watch is equipped with Qualcomm Snapdragon 400 processor, 512MB memory and 4GB flash storage. The default operating system is Android Wear 1.5.0. To enable password authentication without plaintext input, we utilized the three dimensions of the gyroscope sensor in the watch, by using registerListener() function to register each dimension, and retrieving data from each via onSensorChanged() function [61]. For image steganography, we relied on an open-source image steganography library [62], which has implemented the LSB technique for Android. The encryption is instantiated using AES-128.

Evaluating the computational overhead We evaluate the computational time needed in \(\textsf{MobiWear}\) for embedding/extracting data under different lengths of the secret data, while fixing the size of both the cover image and the watermark image. The results are shown in Fig. 6. We can observe that: (1) For longer secret data, \(\textsf{MobiWear}\) needs more time in embedding/extracting secret data. This is because: for longer secret data, \(\textsf{MobiWear}\) will need to embed/extract more secret bits into/from the watermark image, which will increase the time; but the time needed for embedding/extracting the watermark image into/from the cover image will be similar. (2) Extracting the secret data is slower than hiding them. This is because: when embedding the data upon generating the stego-watermark and the stego-image, two flags which indicate the begin and the end of the data are added and, when extracting them, we need to decrypt the LSB bits in terms of units until finding the end flag; this leads to extra overhead in decrypting more data and locating the end flag.

Fig. 6
figure 6

Computational time needed for hiding and extracting sensitive data when the size of the cover image and the watermark image is fixed (the cover image is 1.5MB in size, and the watermark image is 20KB in size)

Full size image

We also evaluate how the size of the watermark image and the cover image will affect the time of embedding/extracting secret data. We fix the length of the secret data as 20 bytes, and evaluate the embedding/extracting time under different sizes of the watermark and the cover image. The results are shown in Fig. 7. We can observe that: (1) The time for embedding/extracting the secret data slightly increases when the size of the cover/watermark image increases. This is because: both the cover and the watermark image need to be loaded into the memory for further processing, which slightly increases the computational time. (2) The time for extracting the secret data is more than that for embedding them. The reason has been discussed before.

Fig. 7
figure 7

Computational time needed for hiding and extracting sensitive data when the size of both the watermark image and the cover image varies. For the x-axis, (a,b) represents (size of watermark image in KBs, size of cover image in MBs)

Full size image

When encoding the sensitive data into the watermark image via image steganography, we would suggest using more secure image steganography techniques instead of LSB. We therefore also evaluate the computation needed for other steganography techniques including DCT and DWT. We did not implement the DCT and DWT in the LG G watch. Instead, we compare the computational time needed for DCT/DWT with LSB on a laptop equipped with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz, 8 G RAM, and Ubuntu 18.04. The results are shown in Table 4. We can observe that: (1) Both the DCT and DWT are more expensive than the LSB for encoding/decoding operations. This is because both the DCT and DWT involve complex mathematical operations (e.g., dividing the image into blocks or sub-bands), which requires a higher amount of computation. (2) The DCT is much more expensive than the DWT. This is because the computational complexity of the DWT (O(N) [63]) is generally lower than that of the DCT (\(O(N^2log_2N)\) [64]).

Table 4 The computational overhead of DCT and DWT when encoding/decoding secret data into/from the watermark image. Each value represents a ratio between the time needed for the DCT/DWT of each corresponding operation and that needed for LSB running in the same computer
Full size table

Evaluating the SSIM We measure the SSIM (Sec. 3.5) when encoding the secret data into the watermark image, using the three image steganography techniques LSB, DCT, and DWT, respectively. We have gathered a collection of 51 images, with the file size ranging between 200KB and 500KB, and encoded the secret data of different sizes (20 bytes, 40 bytes and 60 bytes). The results are shown in Figs. 8, 9, and 10. All the SSIM values are no less than 0.99, which indicates that the resulted stego-watermarks are similar to the original watermarks after encoding the secret data under different steganography techniques, i.e., the perceived quality of the watermark images does not degrade noticeably.

Fig. 8
figure 8

SSIM value with 20 bytes embedded in the watermark image

Full size image
Fig. 9
figure 9

SSIM value with 40 bytes embedded in the watermark image

Full size image
Fig. 10
figure 10

SSIM value with 60 bytes embedded in the watermark image

Full size image

8 Conclusion

In this work, we have designed \(\textsf{MobiWear}\), an application-layer plausibly deniable encryption system for wearable mobile devices. \(\textsf{MobiWear}\) uses image steganography and watermarking to hide sensitive data and utilizes the integrated sensors to input passwords. The experiment results indicate that \(\textsf{MobiWear}\) can achieve deniability with a small overhead as well as a tiny degradation of perceived quality of the image.