Abstract
Modern smartphone sensors can be leveraged for providing novel functionality and greatly improving the user experience. However, sensor data can be misused by privacy-invasive or malicious entities. Additionally, a wide range of other attacks that use mobile sensor data have been demonstrated; while those attacks have typically relied on users installing malicious apps, browsers have eliminated that constraint with the deployment of HTML5 WebAPI.
In this article, we conduct a comprehensive evaluation of the multifaceted threat that mobile web browsing poses to users by conducting a large-scale study of mobile-specific HTML5 WebAPI calls across more than 183K of the most popular websites. We build a novel testing infrastructure consisting of actual smartphones on top of a dynamic Android app analysis framework, allowing us to conduct an end-to-end exploration. In detail, our system intercepts and tracks data access in real time, from the WebAPI JavaScript calls down to the Android system calls. Our study reveals the extent to which websites are actively leveraging the WebAPI for collecting sensor data, with 2.89% of websites accessing at least one sensor. To provide a comprehensive assessment of the risks of this emerging practice, we create a taxonomy of sensor-based attacks from prior studies and present an in-depth analysis by framing our collected data within that taxonomy. We find that 1.63% of websites can carry out at least one attack and emphasize the need for a standardized policy across all browsers and the ability for users to control what sensor data each website can access.
- Alexa—Top 50 Banks and Institutions. 2019. Retrieved from https://www.alexa.com/topsites/category/Business/Financial_Services/Banking_Services/Banks_and_Institutions.Google Scholar
- Erik Derr. 2016. Axplorer—Demystifying the Android Application Framework. Retrieved from http://axplorer.org/.Google Scholar
- The EU General Data Protection Regulation. 2019. Retrieved from https://eugdpr.org.Google Scholar
- Mozilla. 2019. MDN Web Docs—Magnetometer. Retrieved from https://developer.mozilla.org/en-US/docs/Web/API/Magnetometer/Magnetometer.Google Scholar
- Mozilla. 2019. Mozilla Support—Does Firefox share my location with websites? Retrieved from https://support.mozilla.org/en-US/kb/does-firefox-share-my-location-websites.Google Scholar
- Android. 2019. Request prompts for dangerous permissions. Retrieved from https://developer.android.com/guide/topics/permissions/overview#dangerous-permission-prompt.Google Scholar
- Yennik Inc. 2019. US Banks on the Internet. Retrieved from http://www.thecommunitybanker.com/bank_links/.Google Scholar
- VirusTotal. 2019. VirusTotal: Analyze suspicious files and URLs to detect types of malware. Retrieved from https://www.virustotal.com.Google Scholar
- VirusTotal. 2019. VirusTotal: goggle.com. Retrieved from https://tinyurl.com/VTgoggle-com.Google Scholar
- VirusTotal. 2019. VirusTotal: yotube.com. Retrieved from https://tinyurl.com/VTyotube-com.Google Scholar
- Marcel Bokhorst. 2016. The ultimate, yet easy to use, privacy manager for Android. Retrieved from https://github.com/M66B/XPrivacy.Google Scholar
- 2019. IAB FY 2018 Podcast Ad Revenue Study. Retrieved from https://www.iab.com/wp-content/uploads/2019/06/Full-Year-2018-IAB-Podcast-Ad-Rev-Study_6.03.19_vFinal.pdf.Google Scholar
- Jasmine Enberg. 2019. What’s Shaping the Digital Ad Market. Retrieved from https://www.emarketer.com/content/global-digital-ad-spending-2019.Google Scholar
- A. Guttmann. 2019. Year-over-year change of advertising expenditure in selected countries from 2016 to 2018. Retrieved from https://www.statista.com/statistics/276805/global-advertising-market-forecast/.Google Scholar
- Furkan Alaca and Paul C. van Oorschot. 2016. Device fingerprinting for augmenting web authentication: Classification and analysis of methods. In Proceedings of the 32nd Conference on Computer Security Applications. ACM, 289--301.Google Scholar
- Irene Amerini, Rudy Becarelli, Roberto Caldelli, Alessio Melani, and Moreno Niccolai. 2017. Smartphone fingerprinting combining features of on-board sensors. IEEE Trans. Inf. Forens. Secur. 12, 10 (2017), 2457--2466.Google ScholarCross Ref
- Irene Amerini, Paolo Bestagini, Luca Bondi, Roberto Caldelli, Matteo Casini, and Stefano Tubaro. 2016. Robust smartphone fingerprint by mixing device sensors features for mobile strong authentication. Electron. Imag. 2016, 8 (2016), 1--8.Google ScholarCross Ref
- S. Abhishek Anand and Nitesh Saxena. 2018. Speechless: Analyzing the threat to speech privacy from smartphone motion sensors. In Proceedings of the IEEE Symposium on Security and Privacy (SP’18). 116--133.Google Scholar
- Andrei Popescu. 2018. Geolocation API. Retrieved from https://www.w3.org/TR/geolocation-API/.Google Scholar
- Anssi Kostiainen. 2018. Ambient light sensor API. Retrieved from https://www.w3.org/TR/ambient-light/.Google Scholar
- Anssi Kostiainen. 2018. Vibration API. Retrieved from https://www.w3.org/TR/vibration/.Google Scholar
- Anssi Kostiainen, Alexander Shalamov. 2018. Accelerometer. Retrieved from https://www.w3.org/TR/accelerometer/.Google Scholar
- Anssi Kostiainen, Rijubrata Bhaumik. 2018. Proximity sensor API. Retrieved from https://www.w3.org/TR/proximity/.Google Scholar
- Adam J. Aviv, Benjamin Sapp, Matt Blaze, and Jonathan M. Smith. 2012. Practicality of accelerometer side channels on smartphones. In Proceedings of the 28th Computer Security Applications Conference. ACM, 41--50.Google Scholar
- Xiaolong Bai, Jie Yin, and Yu-Ping Wang. 2017. Sensor Guardian: Prevent privacy inference on Android sensors. EURASIP J. Inf. Secur. 1 (2017), 10.Google ScholarCross Ref
- Mahesh Balakrishnan, Iqbal Mohomed, and Venugopalan Ramasubramanian. 2009. Where’s that phone?: Geolocating IP addresses on 3G networks. In Proceedings of the 9th ACM SIGCOMM Conference on Internet Measurement (IMC’09).Google ScholarDigital Library
- Anna M. Bardone-Cone and Kamila M. Cass. 2006. Investigating the impact of pro-anorexia websites: A pilot study. Euro. Eat. Disord. Rev. 14, 4 (2006), 256--262. DOI:https://doi.org/10.1002/erv.714Google ScholarCross Ref
- Paul Barford, Igor Canadi, Darja Krushevskaja, Qiang Ma, and S. Muthukrishnan. 2014. Adscape: Harvesting and analyzing online display ads. In Proceedings of the 23rd International Conference on World Wide Web (WWW’14). ACM, New York, NY, 597--608. DOI:https://doi.org/10.1145/2566486.2567992Google Scholar
- Muhammad Ahmad Bashir, Sajjad Arshad, William Robertson, and Christo Wilson. 2016. Tracing information flows between ad exchanges using retargeted ads. In Proceedings of the 25th USENIX Security Symposium (USENIX Security’16). USENIX Association, 481--496. Retrieved from https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/bashir.Google Scholar
- Ben Alman. 2018. Monkey-patch (hook) functions for debugging and stuff. Retrieved from https://github.com/cowboy/javascript-hooker.Google Scholar
- Sebastian Biedermann, Stefan Katzenbeisser, and Jakub Szefer. 2015. Hard drive side-channel attacks using smartphone magnetic field sensors. In Proceedings of the International Conference on Financial Cryptography and Data Security. Springer, 489--496.Google ScholarCross Ref
- Hristo Bojinov, Yan Michalevsky, Gabi Nakibly, and Dan Boneh. 2014. Mobile device identification via sensor fingerprinting. arXiv preprint arXiv:1408.1416 (2014).Google Scholar
- Armir Bujari, Bogdan Licar, and Claudio E. Palazzi. 2012. Movement pattern recognition through smartphone’s accelerometer. In Proceedings of the IEEE Consumer Communications and Networking Conference (CCNC’12). IEEE, 502--506.Google Scholar
- Liang Cai and Hao Chen. 2011. TouchLogger: Inferring keystrokes on touch screen from smartphone motion. In Proceedings of the USENIX Summit on Hot Topics in Security (HotSec’11).Google Scholar
- Liang Cai and Hao Chen. 2012. On the practicality of motion based keystroke inference attack. In Proceedings of the International Conference on Trust and Trustworthy Computing. Springer, 273--290.Google ScholarDigital Library
- Supriyo Chakraborty, Wentao Ouyang, and Mani Srivastava. 2017. LightSpy: Optical eavesdropping on displays using light sensors on mobile devices. In Proceedings of the IEEE International Conference on Big Data (Big Data’17). IEEE, 2980--2989.Google ScholarCross Ref
- Aldo Cortesi, Mayimilian Hils, and Thomas Kriechbaumer. 2019. mitmproxy. v.3.0.3. Retrieved from https://mitmproxy.org.Google Scholar
- Daniel C. Burnett, Adam Bergkvist, Cullen Jennings, Anant Narayanan, Bernard Aboba. 2018. Media capture API. Retrieved from https://www.w3.org/TR/mediacapture-streams/.Google Scholar
- Anupam Das, Gunes Acar, Nikita Borisov, and Amogh Pradeep. 2018. The web’s sixth sense: A study of scripts accessing smartphone sensors. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’18).Google ScholarDigital Library
- Anupam Das, Nikita Borisov, and Matthew Caesar. 2014. Do you hear what I hear?: Fingerprinting smart devices through embedded acoustic components. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM, 441--452.Google ScholarDigital Library
- Anupam Das, Nikita Borisov, and Matthew Caesar. 2016. Tracking mobile web users through motion sensors: Attacks and defenses. In Proceedings of the Network and Distributed System Security Symposium.Google ScholarCross Ref
- Anupam Das, Nikita Borisov, and Edward Chou. 2018. Every move you make: Exploring practical issues in smartphone motion sensor fingerprinting and countermeasures. Proc. Priv. Enhanc. Technol. 2018, 1 (2018), 88--108.Google ScholarCross Ref
- Erhan Davarci, Betul Soysal, Imran Erguler, Sabri Orhun Aydin, Onur Dincer, and Emin Anarim. 2017. Age group detection using smartphone motion sensors. In Proceedings of the 25th European Signal Processing Conference (EUSIPCO’17). IEEE, 2201--2205.Google ScholarCross Ref
- Luke Deshotels. 2014. Inaudible sound as a covert channel in mobile devices. In Proceedings of the Workshop on Offensive Technologies (WOOT’14).Google Scholar
- Sanorita Dey, Nirupam Roy, Wenyuan Xu, Romit Roy Choudhury, and Srihari Nelakuditi. 2014. AccelPrint: Imperfections of accelerometers make smartphones trackable. In Proceedings of the Network and Distributed System Security Symposium.Google ScholarCross Ref
- Michalis Diamantaris, Elias P. Papadopoulos, Evangelos P. Markatos, Sotiris Ioannidis, and Jason Polakis. 2019. REAPER: Real-time app analysis for augmenting the Android permission system. In Proceedings of the 9th ACM Conference on Data and Application Security and Privacy (CODASPY’19).Google ScholarDigital Library
- Peter Eckersley. 2010. How unique is your web browser? In Proceedings of the International Symposium on Privacy Enhancing Technologies Symposium. Springer, 1--18.Google ScholarCross Ref
- Nicole Eling, Siegfried Rasthofer, Max Kolhagen, Eric Bodden, and Peter Buxmann. 2016. Investigating users’ reaction to fine-grained data requests: A market experiment. In Proceedings of the Hawaii International Conference on System Sciences (HICSS’16).Google ScholarDigital Library
- Steven Englehardt and Arvind Narayanan. 2016. Online tracking: A 1-million-site measurement and analysis. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM, 1388--1401.Google ScholarDigital Library
- Fazal-e-Amin. 2015. Characterization of web browser usage on smartphones. Comput. Hum. Behav. 51 (Oct. 2015), 896--902. DOI:https://doi.org/10.1016/j.chb.2014.10.054Google Scholar
- Tobias Fiebig, Jan Krissler, and Ronny Hänsch. 2014. Security impact of high resolution smartphone cameras. In Proceedings of the Workshop on Offensive Technologies (WOOT’14).Google Scholar
- Maximiliano Firtman. 2018. Mobile HTML5 Compatibility on Mobile Devices. Retrieved from http://mobilehtml5.org/.Google Scholar
- Matteo Gadaleta and Michele Rossi. 2018. Idnet: Smartphone-based gait recognition with convolutional neural networks. Pattern Recog. 74 (2018), 25--37.Google ScholarDigital Library
- Daniel Genkin, Mihir Pattani, Roei Schuster, and Eran Tromer. 2019. Synesthesia: Detecting screen content via remote acoustic side channels. In Proceedings of the IEEE Symposium on Security and Privacy (SP’19).Google ScholarCross Ref
- Daniel Genkin, Adi Shamir, and Eran Tromer. 2014. RSA key extraction via low-bandwidth acoustic cryptanalysis. In Proceedings of the International Cryptology Conference. Springer, 444--461.Google ScholarCross Ref
- ghostwords. 2018. Browser fingerprinting protection for everybody. Retrieved from https://github.com/ghostwords/chameleon.Google Scholar
- Global Stats. 2018. Mobile and tablet internet usage exceeds desktop for first time worldwide. Retrieved from http://gs.statcounter.com/press/mobile-and-tablet-internet-usage-exceeds-desktop-for-first-time-worldwide.Google Scholar
- Glenn Greenwald. 2014. No Place to Hide: Edward Snowden, the NSA, and the US Surveillance State. Macmillan.Google Scholar
- Daniel Gruss, David Bidner, and Stefan Mangard. 2015. Practical memory deduplication attacks in sandboxed JavaScript. In Proceedings of the European Symposium on Research in Computer Security. Springer, 108--122.Google ScholarDigital Library
- Jun Han, Emmanuel Owusu, Le T. Nguyen, Adrian Perrig, and Joy Zhang. 2012. Accomplice: Location inference using accelerometers on smartphones. In Proceedings of the 4th International Conference on Communication Systems and Networks (COMSNETS’12). IEEE, 1--9.Google Scholar
- Samuli Hemminki, Petteri Nurmi, and Sasu Tarkoma. 2013. Accelerometer-based transportation mode detection on smartphones. In Proceedings of the 11th ACM Conference on Embedded Networked Sensor Systems. ACM, 13.Google ScholarDigital Library
- Duncan Hodges and Oliver Buckley. 2018. Reconstructing what you said: Text inference using smartphone motion. IEEE Trans. Mob. Comput. 18, 4 (2018), 947–959.Google ScholarDigital Library
- Shaohan Hu, Lu Su, Shen Li, Shiguang Wang, Chenji Pan, Siyu Gu, Md Tanvir Al Amin, Hengchang Liu, Suman Nath, Romit Roy Choudhury, and Tarek F. Abdelzaher. 2015. Experiences with eNav: A low-power vehicular navigation system. In Proceedings of the ACM International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp’15). ACM, New York, NY, 433--444. DOI:https://doi.org/10.1145/2750858.2804287Google Scholar
- Jingyu Hua, Zhenyu Shen, and Sheng Zhong. 2017. We can track you if you take the metro: Tracking metro riders using accelerometers on smartphones. IEEE Trans. Inf. Forens. Secur. 12, 2 (2017), 286--297.Google ScholarDigital Library
- Thomas Hupperich, Davide Maiorca, Marc Kührer, Thorsten Holz, and Giorgio Giacinto. 2015. On the robustness of mobile device fingerprinting: Can mobile users escape modern web-tracking mechanisms? In Proceedings of the 31st Computer Security Applications Conference. ACM, 191--200.Google ScholarDigital Library
- Felix Juefei-Xu, Chandrasekhar Bhagavatula, Aaron Jaech, Unni Prasad, and Marios Savvides. 2012. Gait-ID on the move: Pace independent human identification using cell phone accelerometer dynamics. In Proceedings of the IEEE Fifth International Conference on Biometrics: Theory, Applications and Systems (BTAS’12). IEEE, 8--15.Google ScholarCross Ref
- Hyungsub Kim, Sangho Lee, and Jong Kim. 2014. Exploring and mitigating privacy threats of HTML5 geolocation API. In Proceedings of the 30th Computer Security Applications Conference. ACM, 306--315.Google ScholarDigital Library
- Hyungsub Kim, Sangho Lee, and Jong Kim. 2014. Exploring and mitigating privacy threats of HTML5 geolocation API. In Proceedings of the 30th Computer Security Applications Conference (ACSAC’14). ACM, New York, NY, 306--315. DOI:https://doi.org/10.1145/2664243.2664247Google ScholarDigital Library
- Jennifer R. Kwapisz, Gary M. Weiss, and Samuel A. Moore. 2011. Activity recognition using cell phone accelerometers. ACM SigKDD Explor. Newslett. 12, 2 (2011), 74--82.Google ScholarDigital Library
- Nicholas D. Lane, Petko Georgiev, and Lorena Qendro. 2015. DeepEar: Robust smartphone audio sensing in unconstrained acoustic environments using deep learning. In Proceedings of the ACM International Joint Conference on Pervasive and Ubiquitous Computing. ACM, 283--294.Google ScholarDigital Library
- Pierre Laperdrix. 2017. Browser Fingerprinting: Exploring Device Diversity to Augment Authentification and Build Client-Side Countermeasures. Ph.D. Dissertation. Rennes, INSA.Google Scholar
- Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. 2016. Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints. In Proceedings of the IEEE Symposium on Security and Privacy (SP’16). IEEE, 878--894.Google ScholarCross Ref
- Adam Lella. 2018. U.S. Smartphone Penetration Surpassed 80 Percent in 2016. Retrieved from https://www.comscore.com/Insights/Blog/US-Smartphone-Penetration-Surpassed-80-Percent-in-2016.Google Scholar
- Adam Lerner, Anna Kornfeld Simpson, Tadayoshi Kohno, and Franziska Roesner. 2016. Internet jones and the raiders of the lost trackers: An archaeological study of web tracking from 1996 to 2016. In Proceedings of the USENIX Security Symposium.Google Scholar
- Jialiu Lin, Shahriyar Amini, Jason I. Hong, Norman Sadeh, Janne Lindqvist, and Joy Zhang. 2012. Expectation and purpose: Understanding users’ mental models of mobile app privacy through crowdsourcing. In Proceedings of the ACM International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp’12).Google ScholarDigital Library
- Yogesh Maheshwari and Y. Raghu Reddy. 2017. A study on migrating flash files to HTML5/JavaScript. In Proceedings of the 10th Innovations in Software Engineering Conference. ACM, 112--116.Google Scholar
- Claudio Marforio, Hubert Ritzdorf, Aurélien Francillon, and Srdjan Capkun. 2012. Analysis of the communication between colluding applications on modern smartphones. In Proceedings of the 28th Computer Security Applications Conference. ACM, 51--60.Google ScholarDigital Library
- Philip Marquardt, Arunabh Verma, Henry Carter, and Patrick Traynor. 2011. (sp) iPhone: Decoding vibrations from nearby keyboards using mobile phone accelerometers. In Proceedings of the 18th ACM Conference on Computer and Communications Security. ACM, 551--562.Google ScholarDigital Library
- McAfee. 2019. Customer URL Ticketing System, Check Single URL. Retrieved from https://trustedsource.org/.Google Scholar
- Maryam Mehrnezhad, Ehsan Toreini, Siamak F. Shahandashti, and Feng Hao. 2018. Stealing PINs via mobile sensors: Actual risk versus user perception. Int. J. Inf. Secur. 17, 3 (2018), 291--313.Google ScholarDigital Library
- Georg Merzdovnik, Markus Huber, Damjan Buhov, Nick Nikiforakis, Sebastian Neuner, Martin Schmiedecker, and Edgar Weippl. 2017. Block me if you can: A large-scale study of tracker-blocking tools. In Proceedings of the IEEE European Symposium on Security and Privacy (EuroS8P’17). IEEE, 319--333.Google ScholarCross Ref
- Yan Michalevsky, Dan Boneh, and Gabi Nakibly. 2014. Gyrophone: Recognizing speech from gyroscope signals. In Proceedings of the USENIX Security Symposium. 1053--1067.Google Scholar
- Elinor Mills. 2009. Device identification in online banking is privacy threat, expert says. Retrieved from https://www.cnet.com/news/device-identification-in-online-banking-is-privacy-threat-expert-says/.Google Scholar
- Emiliano Miluzzo, Alexander Varshavsky, Suhrid Balakrishnan, and Romit Roy Choudhury. 2012. Tapprints: Your finger taps have fingerprints. In Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services. ACM, 323--336.Google ScholarDigital Library
- Tyler Moore and Benjamin Edelman. 2010. Measuring the perpetrators and funders of typosquatting. In Proceedings of the International Conference on Financial Cryptography and Data Security. Springer, 175--191.Google ScholarDigital Library
- Mounir Lamouri and Marcos Cáceres. 2018. Screen orientation API. Retrieved from https://www.w3.org/TR/screen-orientation/.Google Scholar
- Keaton Mowery and Hovav Shacham. 2012. Pixel perfect: Fingerprinting canvas in HTML5. In Proceedings of the Web 2.0 Security 8 Privacy Conference (W2SP’12).Google Scholar
- Patrick Mutchler, Adam Doupé, John Mitchell, Chris Kruegel, and Giovanni Vigna. 2015. A large-scale study of mobile web app security. In Proceedings of the Mobile Security Technologies Workshop (MoST’15).Google Scholar
- Sashank Narain, Amirali Sanatinia, and Guevara Noubir. 2014. Single-stroke language-agnostic keylogging using stereo-microphones and domain specific machine learning. In Proceedings of the ACM Conference on Security and Privacy in Wireless 8 Mobile Networks. ACM, 201--212.Google ScholarDigital Library
- Sashank Narain, Triet D. Vo-Huu, Kenneth Block, and Guevara Noubir. 2016. Inferring user routes and locations using zero-permission mobile sensors. In Proceedings of the IEEE Symposium on Security and Privacy (SP’16). IEEE, 397--413.Google ScholarCross Ref
- Sarfraz Nawaz and Cecilia Mascolo. 2014. Mining users’ significant driving routes with low-power sensors. In Proceedings of the 12th ACM Conference on Embedded Network Sensor Systems (SenSys’14). ACM, New York, NY, 236--250. DOI:https://doi.org/10.1145/2668332.2668348Google ScholarDigital Library
- Khuong An Nguyen, Raja Naeem Akram, Konstantinos Markantonakis, Zhiyuan Luo, and Chris Watkins. 2019. Location tracking using smartphone accelerometer and magnetometer traces. In Proceedings of the 14th International Conference on Availability, Reliability and Security (ARES’19). ACM, New York, NY, Article 96, 9 pages. DOI:https://doi.org/10.1145/3339252.3340518Google ScholarDigital Library
- Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2013. Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In Proceedings of the IEEE Symposium on Security and Privacy (SP’13). IEEE, 541--555.Google ScholarDigital Library
- Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2014. On the workings and current practices of web-based device fingerprinting. IEEE Secur. Priv. 12, 3 (2014), 28--36.Google ScholarCross Ref
- Łukasz Olejnik, Gunes Acar, Claude Castelluccia, and Claudia Diaz. 2015. The leaking battery. In Data Privacy Management, and Security Assurance. Springer, 254--263.Google Scholar
- Łukasz Olejnik, Steven Englehardt, and Arvind Narayanan. 2017. Battery status not included: Assessing privacy in web standards. In Proceedings of the 3rd International Workshop on Privacy Engineering (IWPE’17).Google Scholar
- Emmanuel Owusu, Jun Han, Sauvik Das, Adrian Perrig, and Joy Zhang. 2012. ACCessory: Password inference using accelerometers on smartphones. In Proceedings of the 12th Workshop on Mobile Computing Systems 8 Applications. ACM, 9.Google ScholarDigital Library
- Elias P. Papadopoulos, Michalis Diamantaris, Panagiotis Papadopoulos, Thanasis Petsas, Sotiris Ioannidis, and Evangelos P. Markatos. 2017. The long-standing privacy debate: Mobile websites vs mobile apps. In Proceedings of the 26th International Conference on World Wide Web. International World Wide Web Conferences Steering Committee.Google Scholar
- Dan Ping, Xin Sun, and Bing Mao. 2015. TextLogger: Inferring longer inputs on touch screen using motion sensors. In Proceedings of the 8th ACM Conference on Security 8 Privacy in Wireless and Mobile Networks (WiSec’15). ACM, New York, NY, Article 24, 12 pages. DOI:https://doi.org/10.1145/2766498.2766511Google ScholarDigital Library
- Rahul Raguram, Andrew M. White, Dibyendusekhar Goswami, Fabian Monrose, and Jan-Michael Frahm. 2011. iSpy: Automatic reconstruction of typed input from compromising reflections. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS’11). ACM, New York, NY, 527--536. DOI:https://doi.org/10.1145/2046707.2046769Google ScholarDigital Library
- Ashis Kumar Ratha, Shibani Sahu, and Priya Meher. 2018. HTML5 in web development: A new approach. International Research Journal of Engineering and Technology (IRJET) 5, 3 (2018). http://www.irjet.net.Google Scholar
- Sasank Reddy, Min Mun, Jeff Burke, Deborah Estrin, Mark Hansen, and Mani Srivastava. 2010. Using mobile phones to determine transportation modes. ACM Trans. Sensor Netw. 6, 2 (2010), 13.Google ScholarDigital Library
- Yanzhi Ren, Yingying Chen, Mooi Choo Chuah, and Jie Yang. 2013. Smartphone based user verification leveraging gait recognition for mobile healthcare systems. In Proceedings of the 10th IEEE Communications Society Conference on Sensor, Mesh and Ad Hoc Communications and Networks (SECON’13). IEEE, 149--157.Google ScholarCross Ref
- Rich Tibbett, Tim Volodine, Steve Block, Andrei Popescu. 2018. Device orientation event. Retrieved from https://www.w3.org/TR/orientation-event/.Google Scholar
- rovo89. 2018. Xposed framework. Retrieved from https://repo.xposed.info.Google Scholar
- Quirin Scheitle, Oliver Hohlfeld, Julien Gamba, Jonas Jelten, Torsten Zimmermann, Stephen D. Strowes, and Narseo Vallina-Rodriguez. 2018. A long way to the top: Significance, structure, and stability of internet top lists. In Proceedings of the Internet Measurement Conference (IMC’18).Google ScholarDigital Library
- Roman Schlegel, Kehuan Zhang, Xiao-yong Zhou, Mehool Intwala, Apu Kapadia, and XiaoFeng Wang. 2011. Soundcomber: A stealthy and context-aware sound trojan for smartphones. In Proceedings of the Network and Distributed System Security Symposium, Vol. 11. 17--33.Google Scholar
- Chao Shen, Shichao Pei, Zhenyu Yang, and Xiaohong Guan. 2015. Input extraction via motion-sensor behavior analysis on smartphones. Comput. Secur. 53 (2015), 143--155.Google ScholarDigital Library
- Laurent Simon and Ross Anderson. 2013. Pin skimmer: Inferring pins through the camera and microphone. In Proceedings of the 3rd ACM Workshop on Security and Privacy in Smartphones 8 Mobile Devices. ACM, 67--78.Google ScholarDigital Library
- Peter Snyder, Lara Ansari, Cynthia Taylor, and Chris Kanich. 2016. Browser feature usage on the modern web. In Proceedings of the Internet Measurement Conference. ACM, 97--110.Google ScholarDigital Library
- Peter Snyder, Cynthia Taylor, and Chris Kanich. 2017. Most websites don’t need to vibrate: A cost-benefit approach to improving browser security. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM, 179--194.Google ScholarDigital Library
- Konstantinos Solomos, Panagiotis Ilia, Sotiris Ioannidis, and Nicolas Kourtellis. 2019. TALOS: An automated framework for cross-device tracking detection. In Proceedings of the International Symposium on Research in Attacks, Intrusions, and Defenses.Google Scholar
- Raphael Spreitzer. 2014. Pin skimming: Exploiting the ambient-light sensor in mobile devices. In Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones 8 Mobile Devices. ACM, 51--62.Google ScholarDigital Library
- Oleksii Starov and Nick Nikiforakis. 2018. PrivacyMeter: Designing and developing a privacy-preserving browser extension. In Proceedings of the International Symposium on Engineering Secure Software and Systems. Springer, 77--95.Google ScholarCross Ref
- Greg Sterling. 2016. Mobile Devices Now Driving 56 Percent of Traffic to Top Sites. https://marketingland.com/mobile-top-sites-165725.Google Scholar
- Allan Stisen, Henrik Blunck, Sourav Bhattacharya, Thor Siiger Prentow, Mikkel Baun Kjærgaard, Anind Dey, Tobias Sonne, and Mads Møller Jensen. 2015. Smart devices are different: Assessing and mitigating mobile sensing heterogeneities for activity recognition. In Proceedings of the 13th ACM Conference on Embedded Networked Sensor Systems (SenSys’15). ACM, New York, NY, 127--140. DOI:https://doi.org/10.1145/2809695.2809718Google ScholarDigital Library
- Yuan Tian, Ying Chuan Liu, Amar Bhosale, Lin Shung Huang, Patrick Tague, and Collin Jackson. 2014. All your screens are belong to us: Attacks exploiting the HTML5 screen sharing API. In Proceedings of the IEEE Symposium on Security and Privacy (SP’14). IEEE, 34--48.Google ScholarDigital Library
- Debra Trampe, Diederik A. Stapel, and Frans W. Siero. 2010. The self-activation effect of advertisements: Ads can affect whether and how consumers think about the self. J. Consum. Res. 37, 6 (10 2010), 1030--1045. DOI:https://doi.org/10.1086/657430Google Scholar
- Sipat Triukose, Sebastien Ardon, Anirban Mahanti, and Aaditeshwar Seth. 2012. Geolocating IP addresses in cellular data networks. In Proceedings of the 13th International Conference on Passive and Active Measurement (PAM’12).Google ScholarDigital Library
- Randika Upathilake, Yingkun Li, and Ashraf Matrawy. 2015. A classification of web browser fingerprinting techniques. In Proceedings of the 7th International Conference on New Technologies, Mobility and Security (NTMS’15). IEEE, 1--5.Google ScholarCross Ref
- Pelayo Vallina, Alvaro Feal, Julien Gamba, Narseo Vallina-Rodriguez, and Antonio Fernandez Anta. 2019. Tales from the porn: A comprehensive privacy analysis of the web porn ecosystem. In Proceedings of the Internet Measurement Conference.Google ScholarDigital Library
- Yong Wang, Daniel Burgener, Marcel Flores, Aleksandar Kuzmanovic, and Cheng Huang. 2011. Towards street-level client-independent IP geolocation. In Proceedings of the USENIX Symposium on Networked Systems Design and Implementation, Vol. 11.Google Scholar
- Yi-Min Wang, Doug Beck, Jeffrey Wang, Chad Verbowski, and Brad Daniels. 2006. Strider typo-patrol: Discovery and analysis of systematic typo-squatting. Proceedings of the USENIX Steps to Reducing Unwanted Traffic on the Internet Conference (SRUTI’06). 31--36.Google Scholar
- Takuya Watanabe, Mitsuaki Akiyama, and Tatsuya Mori. 2015. RouteDetector: Sensor-based positioning system that exploits spatio-temporal regularity of human mobility. In Proceedings of the 9th USENIX Workshop on Offensive Technologies (WOOT’15).Google Scholar
- Yuxi Wu, Panya Gupta, Miranda Wei, Yasemin Acar, Sascha Fahl, and Blase Ur. 2018. Your secrets are safe: How browsers’ explanations impact misconceptions about private browsing mode. In Proceedings of the Conference on World Wide Web. International World Wide Web Conferences Steering Committee, 217--226.Google ScholarDigital Library
- Yuanyi Wu, Dongyu Meng, and Hao Chen. 2017. Evaluating private modes in desktop and mobile browsers and their resistance to fingerprinting. In Proceedings of the IEEE Conference on Communications and Network Security (CNS’17). IEEE, 1--9.Google ScholarCross Ref
- Chenren Xu, Sugang Li, Gang Liu, Yanyong Zhang, Emiliano Miluzzo, Yih-Farn Chen, Jun Li, and Bernhard Firner. 2013. Crowd++: Unsupervised speaker count with smartphones. In Proceedings of the ACM International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp’13). ACM, New York, NY, 43--52. DOI:https://doi.org/10.1145/2493432.2493435Google ScholarDigital Library
- Zhi Xu, Kun Bai, and Sencun Zhu. 2012. Taplogger: Inferring user inputs on smartphone touchscreens using on-board motion sensors. In Proceedings of the 5th ACM Conference on Security and Privacy in Wireless and Mobile Networks.Google ScholarDigital Library
- Shuochao Yao, Shaohan Hu, Yiran Zhao, Aston Zhang, and Tarek Abdelzaher. 2017. DeepSense: A unified deep learning framework for time-series mobile sensing data processing. In Proceedings of the 26th International Conference on World Wide Web (WWW’17). International World Wide Web Conferences Steering Committee, 351--360. DOI:https://doi.org/10.1145/3038912.3052577Google ScholarDigital Library
- Jiexin Zhang, Alastair Beresford, and Ian Sheret. 2019. Sensorid: Sensor calibration fingerprinting for smartphones. In Proceedings of the IEEE Symposium on Security and Privacy (SP’19).Google ScholarCross Ref
- Zhe Zhou, Wenrui Diao, Xiangyu Liu, and Kehuan Zhang. 2014. Acoustic fingerprinting revisited: Generate stable device ID stealthily with inaudible sound. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM, 429--440.Google ScholarDigital Library
- Tong Zhu, Qiang Ma, Shanfeng Zhang, and Yunhao Liu. 2014. Context-free attacks using keyboard acoustic emanations. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’14). ACM, New York, NY, 453--464. DOI:https://doi.org/10.1145/2660267.2660296Google ScholarDigital Library
- John Zulueta, Andrea Piscitello, Mladen Rasic, Rebecca Easter, Pallavi Babu, Scott A. Langenecker, Melvin McInnis, Olusola Ajilore, Peter C. Nelson, Kelly Ryan, et al. 2018. Predicting mood disturbance severity with mobile phone keystroke metadata: A BiAffect digital phenotyping study. J. Med. Internet Res. 20, 7 (2018).Google ScholarCross Ref
Index Terms
- The Seven Deadly Sins of the HTML5 WebAPI: A Large-scale Study on the Risks of Mobile Sensor-based Attacks
Recommendations
A Large-scale Study on the Risks of the HTML5 WebAPI for Mobile Sensor-based Attacks
WWW '19: The World Wide Web ConferenceSmartphone sensors can be leveraged by malicious apps for a plethora of different attacks, which can also be deployed by malicious websites through the HTML5 WebAPI. In this paper we provide a comprehensive evaluation of the multifaceted threat that ...
This Sneaky Piggy Went to the Android Ad Market: Misusing Mobile Sensors for Stealthy Data Exfiltration
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications SecurityMobile sensors have transformed how users interact with modern smartphones and enhance their overall experience. However, the absence of sufficient access control for protecting these sensors enables a plethora of threats. As prior work has shown, ...
An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide WebWith the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
Comments