The Seven Deadly Sins of the HTML5 WebAPI: A Large-scale Study on the Risks of Mobile Sensor-based Attacks

Authors:
Michalis Diamantaris

FORTH, Greece

FORTH, Greece
View Profile

,
Francesco Marcantoni

University of Illinois at Chicago, USA

University of Illinois at Chicago, USA
View Profile

,
Sotiris Ioannidis

FORTH, Greece

FORTH, Greece
View Profile

,
Jason Polakis

University of Illinois at Chicago, USA

University of Illinois at Chicago, USA
View Profile

Authors Info & Claims

ACM Transactions on Privacy and Security Volume 23 Issue 4Article No.: 19pp 1–31https://doi.org/10.1145/3403947

Published:06 July 2020Publication History

ACM Transactions on Privacy and Security

Abstract

Modern smartphone sensors can be leveraged for providing novel functionality and greatly improving the user experience. However, sensor data can be misused by privacy-invasive or malicious entities. Additionally, a wide range of other attacks that use mobile sensor data have been demonstrated; while those attacks have typically relied on users installing malicious apps, browsers have eliminated that constraint with the deployment of HTML5 WebAPI.

In this article, we conduct a comprehensive evaluation of the multifaceted threat that mobile web browsing poses to users by conducting a large-scale study of mobile-specific HTML5 WebAPI calls across more than 183K of the most popular websites. We build a novel testing infrastructure consisting of actual smartphones on top of a dynamic Android app analysis framework, allowing us to conduct an end-to-end exploration. In detail, our system intercepts and tracks data access in real time, from the WebAPI JavaScript calls down to the Android system calls. Our study reveals the extent to which websites are actively leveraging the WebAPI for collecting sensor data, with 2.89% of websites accessing at least one sensor. To provide a comprehensive assessment of the risks of this emerging practice, we create a taxonomy of sensor-based attacks from prior studies and present an in-depth analysis by framing our collected data within that taxonomy. We find that 1.63% of websites can carry out at least one attack and emphasize the need for a standardized policy across all browsers and the ability for users to control what sensor data each website can access.

References

Alexa—Top 50 Banks and Institutions. 2019. Retrieved from https://www.alexa.com/topsites/category/Business/Financial_Services/Banking_Services/Banks_and_Institutions.Google Scholar
Erik Derr. 2016. Axplorer—Demystifying the Android Application Framework. Retrieved from http://axplorer.org/.Google Scholar
The EU General Data Protection Regulation. 2019. Retrieved from https://eugdpr.org.Google Scholar
Mozilla. 2019. MDN Web Docs—Magnetometer. Retrieved from https://developer.mozilla.org/en-US/docs/Web/API/Magnetometer/Magnetometer.Google Scholar
Mozilla. 2019. Mozilla Support—Does Firefox share my location with websites? Retrieved from https://support.mozilla.org/en-US/kb/does-firefox-share-my-location-websites.Google Scholar
Android. 2019. Request prompts for dangerous permissions. Retrieved from https://developer.android.com/guide/topics/permissions/overview#dangerous-permission-prompt.Google Scholar
Yennik Inc. 2019. US Banks on the Internet. Retrieved from http://www.thecommunitybanker.com/bank_links/.Google Scholar
VirusTotal. 2019. VirusTotal: Analyze suspicious files and URLs to detect types of malware. Retrieved from https://www.virustotal.com.Google Scholar
VirusTotal. 2019. VirusTotal: goggle.com. Retrieved from https://tinyurl.com/VTgoggle-com.Google Scholar
VirusTotal. 2019. VirusTotal: yotube.com. Retrieved from https://tinyurl.com/VTyotube-com.Google Scholar
Marcel Bokhorst. 2016. The ultimate, yet easy to use, privacy manager for Android. Retrieved from https://github.com/M66B/XPrivacy.Google Scholar
2019. IAB FY 2018 Podcast Ad Revenue Study. Retrieved from https://www.iab.com/wp-content/uploads/2019/06/Full-Year-2018-IAB-Podcast-Ad-Rev-Study_6.03.19_vFinal.pdf.Google Scholar
Jasmine Enberg. 2019. What’s Shaping the Digital Ad Market. Retrieved from https://www.emarketer.com/content/global-digital-ad-spending-2019.Google Scholar
A. Guttmann. 2019. Year-over-year change of advertising expenditure in selected countries from 2016 to 2018. Retrieved from https://www.statista.com/statistics/276805/global-advertising-market-forecast/.Google Scholar
Furkan Alaca and Paul C. van Oorschot. 2016. Device fingerprinting for augmenting web authentication: Classification and analysis of methods. In Proceedings of the 32nd Conference on Computer Security Applications. ACM, 289--301.Google Scholar
Irene Amerini, Rudy Becarelli, Roberto Caldelli, Alessio Melani, and Moreno Niccolai. 2017. Smartphone fingerprinting combining features of on-board sensors. IEEE Trans. Inf. Forens. Secur. 12, 10 (2017), 2457--2466.Google ScholarCross Ref
Irene Amerini, Paolo Bestagini, Luca Bondi, Roberto Caldelli, Matteo Casini, and Stefano Tubaro. 2016. Robust smartphone fingerprint by mixing device sensors features for mobile strong authentication. Electron. Imag. 2016, 8 (2016), 1--8.Google ScholarCross Ref
S. Abhishek Anand and Nitesh Saxena. 2018. Speechless: Analyzing the threat to speech privacy from smartphone motion sensors. In Proceedings of the IEEE Symposium on Security and Privacy (SP’18). 116--133.Google Scholar
Andrei Popescu. 2018. Geolocation API. Retrieved from https://www.w3.org/TR/geolocation-API/.Google Scholar
Anssi Kostiainen. 2018. Ambient light sensor API. Retrieved from https://www.w3.org/TR/ambient-light/.Google Scholar
Anssi Kostiainen. 2018. Vibration API. Retrieved from https://www.w3.org/TR/vibration/.Google Scholar
Anssi Kostiainen, Alexander Shalamov. 2018. Accelerometer. Retrieved from https://www.w3.org/TR/accelerometer/.Google Scholar
Anssi Kostiainen, Rijubrata Bhaumik. 2018. Proximity sensor API. Retrieved from https://www.w3.org/TR/proximity/.Google Scholar
Adam J. Aviv, Benjamin Sapp, Matt Blaze, and Jonathan M. Smith. 2012. Practicality of accelerometer side channels on smartphones. In Proceedings of the 28th Computer Security Applications Conference. ACM, 41--50.Google Scholar
Xiaolong Bai, Jie Yin, and Yu-Ping Wang. 2017. Sensor Guardian: Prevent privacy inference on Android sensors. EURASIP J. Inf. Secur. 1 (2017), 10.Google ScholarCross Ref
Mahesh Balakrishnan, Iqbal Mohomed, and Venugopalan Ramasubramanian. 2009. Where’s that phone?: Geolocating IP addresses on 3G networks. In Proceedings of the 9th ACM SIGCOMM Conference on Internet Measurement (IMC’09).Google ScholarDigital Library
Anna M. Bardone-Cone and Kamila M. Cass. 2006. Investigating the impact of pro-anorexia websites: A pilot study. Euro. Eat. Disord. Rev. 14, 4 (2006), 256--262. DOI:https://doi.org/10.1002/erv.714Google ScholarCross Ref
Paul Barford, Igor Canadi, Darja Krushevskaja, Qiang Ma, and S. Muthukrishnan. 2014. Adscape: Harvesting and analyzing online display ads. In Proceedings of the 23rd International Conference on World Wide Web (WWW’14). ACM, New York, NY, 597--608. DOI:https://doi.org/10.1145/2566486.2567992Google Scholar
Muhammad Ahmad Bashir, Sajjad Arshad, William Robertson, and Christo Wilson. 2016. Tracing information flows between ad exchanges using retargeted ads. In Proceedings of the 25th USENIX Security Symposium (USENIX Security’16). USENIX Association, 481--496. Retrieved from https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/bashir.Google Scholar
Ben Alman. 2018. Monkey-patch (hook) functions for debugging and stuff. Retrieved from https://github.com/cowboy/javascript-hooker.Google Scholar
Sebastian Biedermann, Stefan Katzenbeisser, and Jakub Szefer. 2015. Hard drive side-channel attacks using smartphone magnetic field sensors. In Proceedings of the International Conference on Financial Cryptography and Data Security. Springer, 489--496.Google ScholarCross Ref
Hristo Bojinov, Yan Michalevsky, Gabi Nakibly, and Dan Boneh. 2014. Mobile device identification via sensor fingerprinting. arXiv preprint arXiv:1408.1416 (2014).Google Scholar
Armir Bujari, Bogdan Licar, and Claudio E. Palazzi. 2012. Movement pattern recognition through smartphone’s accelerometer. In Proceedings of the IEEE Consumer Communications and Networking Conference (CCNC’12). IEEE, 502--506.Google Scholar
Liang Cai and Hao Chen. 2011. TouchLogger: Inferring keystrokes on touch screen from smartphone motion. In Proceedings of the USENIX Summit on Hot Topics in Security (HotSec’11).Google Scholar
Liang Cai and Hao Chen. 2012. On the practicality of motion based keystroke inference attack. In Proceedings of the International Conference on Trust and Trustworthy Computing. Springer, 273--290.Google ScholarDigital Library
Supriyo Chakraborty, Wentao Ouyang, and Mani Srivastava. 2017. LightSpy: Optical eavesdropping on displays using light sensors on mobile devices. In Proceedings of the IEEE International Conference on Big Data (Big Data’17). IEEE, 2980--2989.Google ScholarCross Ref
Aldo Cortesi, Mayimilian Hils, and Thomas Kriechbaumer. 2019. mitmproxy. v.3.0.3. Retrieved from https://mitmproxy.org.Google Scholar
Daniel C. Burnett, Adam Bergkvist, Cullen Jennings, Anant Narayanan, Bernard Aboba. 2018. Media capture API. Retrieved from https://www.w3.org/TR/mediacapture-streams/.Google Scholar
Anupam Das, Gunes Acar, Nikita Borisov, and Amogh Pradeep. 2018. The web’s sixth sense: A study of scripts accessing smartphone sensors. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’18).Google ScholarDigital Library
Anupam Das, Nikita Borisov, and Matthew Caesar. 2014. Do you hear what I hear?: Fingerprinting smart devices through embedded acoustic components. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM, 441--452.Google ScholarDigital Library
Anupam Das, Nikita Borisov, and Matthew Caesar. 2016. Tracking mobile web users through motion sensors: Attacks and defenses. In Proceedings of the Network and Distributed System Security Symposium.Google ScholarCross Ref
Anupam Das, Nikita Borisov, and Edward Chou. 2018. Every move you make: Exploring practical issues in smartphone motion sensor fingerprinting and countermeasures. Proc. Priv. Enhanc. Technol. 2018, 1 (2018), 88--108.Google ScholarCross Ref
Erhan Davarci, Betul Soysal, Imran Erguler, Sabri Orhun Aydin, Onur Dincer, and Emin Anarim. 2017. Age group detection using smartphone motion sensors. In Proceedings of the 25th European Signal Processing Conference (EUSIPCO’17). IEEE, 2201--2205.Google ScholarCross Ref
Luke Deshotels. 2014. Inaudible sound as a covert channel in mobile devices. In Proceedings of the Workshop on Offensive Technologies (WOOT’14).Google Scholar
Sanorita Dey, Nirupam Roy, Wenyuan Xu, Romit Roy Choudhury, and Srihari Nelakuditi. 2014. AccelPrint: Imperfections of accelerometers make smartphones trackable. In Proceedings of the Network and Distributed System Security Symposium.Google ScholarCross Ref
Michalis Diamantaris, Elias P. Papadopoulos, Evangelos P. Markatos, Sotiris Ioannidis, and Jason Polakis. 2019. REAPER: Real-time app analysis for augmenting the Android permission system. In Proceedings of the 9th ACM Conference on Data and Application Security and Privacy (CODASPY’19).Google ScholarDigital Library
Peter Eckersley. 2010. How unique is your web browser? In Proceedings of the International Symposium on Privacy Enhancing Technologies Symposium. Springer, 1--18.Google ScholarCross Ref
Nicole Eling, Siegfried Rasthofer, Max Kolhagen, Eric Bodden, and Peter Buxmann. 2016. Investigating users’ reaction to fine-grained data requests: A market experiment. In Proceedings of the Hawaii International Conference on System Sciences (HICSS’16).Google ScholarDigital Library
Steven Englehardt and Arvind Narayanan. 2016. Online tracking: A 1-million-site measurement and analysis. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM, 1388--1401.Google ScholarDigital Library
Fazal-e-Amin. 2015. Characterization of web browser usage on smartphones. Comput. Hum. Behav. 51 (Oct. 2015), 896--902. DOI:https://doi.org/10.1016/j.chb.2014.10.054Google Scholar
Tobias Fiebig, Jan Krissler, and Ronny Hänsch. 2014. Security impact of high resolution smartphone cameras. In Proceedings of the Workshop on Offensive Technologies (WOOT’14).Google Scholar
Maximiliano Firtman. 2018. Mobile HTML5 Compatibility on Mobile Devices. Retrieved from http://mobilehtml5.org/.Google Scholar
Matteo Gadaleta and Michele Rossi. 2018. Idnet: Smartphone-based gait recognition with convolutional neural networks. Pattern Recog. 74 (2018), 25--37.Google ScholarDigital Library
Daniel Genkin, Mihir Pattani, Roei Schuster, and Eran Tromer. 2019. Synesthesia: Detecting screen content via remote acoustic side channels. In Proceedings of the IEEE Symposium on Security and Privacy (SP’19).Google ScholarCross Ref
Daniel Genkin, Adi Shamir, and Eran Tromer. 2014. RSA key extraction via low-bandwidth acoustic cryptanalysis. In Proceedings of the International Cryptology Conference. Springer, 444--461.Google ScholarCross Ref
ghostwords. 2018. Browser fingerprinting protection for everybody. Retrieved from https://github.com/ghostwords/chameleon.Google Scholar
Global Stats. 2018. Mobile and tablet internet usage exceeds desktop for first time worldwide. Retrieved from http://gs.statcounter.com/press/mobile-and-tablet-internet-usage-exceeds-desktop-for-first-time-worldwide.Google Scholar
Glenn Greenwald. 2014. No Place to Hide: Edward Snowden, the NSA, and the US Surveillance State. Macmillan.Google Scholar
Daniel Gruss, David Bidner, and Stefan Mangard. 2015. Practical memory deduplication attacks in sandboxed JavaScript. In Proceedings of the European Symposium on Research in Computer Security. Springer, 108--122.Google ScholarDigital Library
Jun Han, Emmanuel Owusu, Le T. Nguyen, Adrian Perrig, and Joy Zhang. 2012. Accomplice: Location inference using accelerometers on smartphones. In Proceedings of the 4th International Conference on Communication Systems and Networks (COMSNETS’12). IEEE, 1--9.Google Scholar
Samuli Hemminki, Petteri Nurmi, and Sasu Tarkoma. 2013. Accelerometer-based transportation mode detection on smartphones. In Proceedings of the 11th ACM Conference on Embedded Networked Sensor Systems. ACM, 13.Google ScholarDigital Library
Duncan Hodges and Oliver Buckley. 2018. Reconstructing what you said: Text inference using smartphone motion. IEEE Trans. Mob. Comput. 18, 4 (2018), 947–959.Google ScholarDigital Library
Shaohan Hu, Lu Su, Shen Li, Shiguang Wang, Chenji Pan, Siyu Gu, Md Tanvir Al Amin, Hengchang Liu, Suman Nath, Romit Roy Choudhury, and Tarek F. Abdelzaher. 2015. Experiences with eNav: A low-power vehicular navigation system. In Proceedings of the ACM International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp’15). ACM, New York, NY, 433--444. DOI:https://doi.org/10.1145/2750858.2804287Google Scholar
Jingyu Hua, Zhenyu Shen, and Sheng Zhong. 2017. We can track you if you take the metro: Tracking metro riders using accelerometers on smartphones. IEEE Trans. Inf. Forens. Secur. 12, 2 (2017), 286--297.Google ScholarDigital Library
Thomas Hupperich, Davide Maiorca, Marc Kührer, Thorsten Holz, and Giorgio Giacinto. 2015. On the robustness of mobile device fingerprinting: Can mobile users escape modern web-tracking mechanisms? In Proceedings of the 31st Computer Security Applications Conference. ACM, 191--200.Google ScholarDigital Library
Felix Juefei-Xu, Chandrasekhar Bhagavatula, Aaron Jaech, Unni Prasad, and Marios Savvides. 2012. Gait-ID on the move: Pace independent human identification using cell phone accelerometer dynamics. In Proceedings of the IEEE Fifth International Conference on Biometrics: Theory, Applications and Systems (BTAS’12). IEEE, 8--15.Google ScholarCross Ref
Hyungsub Kim, Sangho Lee, and Jong Kim. 2014. Exploring and mitigating privacy threats of HTML5 geolocation API. In Proceedings of the 30th Computer Security Applications Conference. ACM, 306--315.Google ScholarDigital Library
Hyungsub Kim, Sangho Lee, and Jong Kim. 2014. Exploring and mitigating privacy threats of HTML5 geolocation API. In Proceedings of the 30th Computer Security Applications Conference (ACSAC’14). ACM, New York, NY, 306--315. DOI:https://doi.org/10.1145/2664243.2664247Google ScholarDigital Library
Jennifer R. Kwapisz, Gary M. Weiss, and Samuel A. Moore. 2011. Activity recognition using cell phone accelerometers. ACM SigKDD Explor. Newslett. 12, 2 (2011), 74--82.Google ScholarDigital Library
Nicholas D. Lane, Petko Georgiev, and Lorena Qendro. 2015. DeepEar: Robust smartphone audio sensing in unconstrained acoustic environments using deep learning. In Proceedings of the ACM International Joint Conference on Pervasive and Ubiquitous Computing. ACM, 283--294.Google ScholarDigital Library
Pierre Laperdrix. 2017. Browser Fingerprinting: Exploring Device Diversity to Augment Authentification and Build Client-Side Countermeasures. Ph.D. Dissertation. Rennes, INSA.Google Scholar
Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. 2016. Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints. In Proceedings of the IEEE Symposium on Security and Privacy (SP’16). IEEE, 878--894.Google ScholarCross Ref
Adam Lella. 2018. U.S. Smartphone Penetration Surpassed 80 Percent in 2016. Retrieved from https://www.comscore.com/Insights/Blog/US-Smartphone-Penetration-Surpassed-80-Percent-in-2016.Google Scholar
Adam Lerner, Anna Kornfeld Simpson, Tadayoshi Kohno, and Franziska Roesner. 2016. Internet jones and the raiders of the lost trackers: An archaeological study of web tracking from 1996 to 2016. In Proceedings of the USENIX Security Symposium.Google Scholar
Jialiu Lin, Shahriyar Amini, Jason I. Hong, Norman Sadeh, Janne Lindqvist, and Joy Zhang. 2012. Expectation and purpose: Understanding users’ mental models of mobile app privacy through crowdsourcing. In Proceedings of the ACM International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp’12).Google ScholarDigital Library
Yogesh Maheshwari and Y. Raghu Reddy. 2017. A study on migrating flash files to HTML5/JavaScript. In Proceedings of the 10th Innovations in Software Engineering Conference. ACM, 112--116.Google Scholar
Claudio Marforio, Hubert Ritzdorf, Aurélien Francillon, and Srdjan Capkun. 2012. Analysis of the communication between colluding applications on modern smartphones. In Proceedings of the 28th Computer Security Applications Conference. ACM, 51--60.Google ScholarDigital Library
Philip Marquardt, Arunabh Verma, Henry Carter, and Patrick Traynor. 2011. (sp) iPhone: Decoding vibrations from nearby keyboards using mobile phone accelerometers. In Proceedings of the 18th ACM Conference on Computer and Communications Security. ACM, 551--562.Google ScholarDigital Library
McAfee. 2019. Customer URL Ticketing System, Check Single URL. Retrieved from https://trustedsource.org/.Google Scholar
Maryam Mehrnezhad, Ehsan Toreini, Siamak F. Shahandashti, and Feng Hao. 2018. Stealing PINs via mobile sensors: Actual risk versus user perception. Int. J. Inf. Secur. 17, 3 (2018), 291--313.Google ScholarDigital Library
Georg Merzdovnik, Markus Huber, Damjan Buhov, Nick Nikiforakis, Sebastian Neuner, Martin Schmiedecker, and Edgar Weippl. 2017. Block me if you can: A large-scale study of tracker-blocking tools. In Proceedings of the IEEE European Symposium on Security and Privacy (EuroS8P’17). IEEE, 319--333.Google ScholarCross Ref
Yan Michalevsky, Dan Boneh, and Gabi Nakibly. 2014. Gyrophone: Recognizing speech from gyroscope signals. In Proceedings of the USENIX Security Symposium. 1053--1067.Google Scholar
Elinor Mills. 2009. Device identification in online banking is privacy threat, expert says. Retrieved from https://www.cnet.com/news/device-identification-in-online-banking-is-privacy-threat-expert-says/.Google Scholar
Emiliano Miluzzo, Alexander Varshavsky, Suhrid Balakrishnan, and Romit Roy Choudhury. 2012. Tapprints: Your finger taps have fingerprints. In Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services. ACM, 323--336.Google ScholarDigital Library
Tyler Moore and Benjamin Edelman. 2010. Measuring the perpetrators and funders of typosquatting. In Proceedings of the International Conference on Financial Cryptography and Data Security. Springer, 175--191.Google ScholarDigital Library
Mounir Lamouri and Marcos Cáceres. 2018. Screen orientation API. Retrieved from https://www.w3.org/TR/screen-orientation/.Google Scholar
Keaton Mowery and Hovav Shacham. 2012. Pixel perfect: Fingerprinting canvas in HTML5. In Proceedings of the Web 2.0 Security 8 Privacy Conference (W2SP’12).Google Scholar
Patrick Mutchler, Adam Doupé, John Mitchell, Chris Kruegel, and Giovanni Vigna. 2015. A large-scale study of mobile web app security. In Proceedings of the Mobile Security Technologies Workshop (MoST’15).Google Scholar
Sashank Narain, Amirali Sanatinia, and Guevara Noubir. 2014. Single-stroke language-agnostic keylogging using stereo-microphones and domain specific machine learning. In Proceedings of the ACM Conference on Security and Privacy in Wireless 8 Mobile Networks. ACM, 201--212.Google ScholarDigital Library
Sashank Narain, Triet D. Vo-Huu, Kenneth Block, and Guevara Noubir. 2016. Inferring user routes and locations using zero-permission mobile sensors. In Proceedings of the IEEE Symposium on Security and Privacy (SP’16). IEEE, 397--413.Google ScholarCross Ref
Sarfraz Nawaz and Cecilia Mascolo. 2014. Mining users’ significant driving routes with low-power sensors. In Proceedings of the 12th ACM Conference on Embedded Network Sensor Systems (SenSys’14). ACM, New York, NY, 236--250. DOI:https://doi.org/10.1145/2668332.2668348Google ScholarDigital Library
Khuong An Nguyen, Raja Naeem Akram, Konstantinos Markantonakis, Zhiyuan Luo, and Chris Watkins. 2019. Location tracking using smartphone accelerometer and magnetometer traces. In Proceedings of the 14th International Conference on Availability, Reliability and Security (ARES’19). ACM, New York, NY, Article 96, 9 pages. DOI:https://doi.org/10.1145/3339252.3340518Google ScholarDigital Library
Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2013. Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In Proceedings of the IEEE Symposium on Security and Privacy (SP’13). IEEE, 541--555.Google ScholarDigital Library
Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2014. On the workings and current practices of web-based device fingerprinting. IEEE Secur. Priv. 12, 3 (2014), 28--36.Google ScholarCross Ref
Łukasz Olejnik, Gunes Acar, Claude Castelluccia, and Claudia Diaz. 2015. The leaking battery. In Data Privacy Management, and Security Assurance. Springer, 254--263.Google Scholar
Łukasz Olejnik, Steven Englehardt, and Arvind Narayanan. 2017. Battery status not included: Assessing privacy in web standards. In Proceedings of the 3rd International Workshop on Privacy Engineering (IWPE’17).Google Scholar
Emmanuel Owusu, Jun Han, Sauvik Das, Adrian Perrig, and Joy Zhang. 2012. ACCessory: Password inference using accelerometers on smartphones. In Proceedings of the 12th Workshop on Mobile Computing Systems 8 Applications. ACM, 9.Google ScholarDigital Library
Elias P. Papadopoulos, Michalis Diamantaris, Panagiotis Papadopoulos, Thanasis Petsas, Sotiris Ioannidis, and Evangelos P. Markatos. 2017. The long-standing privacy debate: Mobile websites vs mobile apps. In Proceedings of the 26th International Conference on World Wide Web. International World Wide Web Conferences Steering Committee.Google Scholar
Dan Ping, Xin Sun, and Bing Mao. 2015. TextLogger: Inferring longer inputs on touch screen using motion sensors. In Proceedings of the 8th ACM Conference on Security 8 Privacy in Wireless and Mobile Networks (WiSec’15). ACM, New York, NY, Article 24, 12 pages. DOI:https://doi.org/10.1145/2766498.2766511Google ScholarDigital Library
Rahul Raguram, Andrew M. White, Dibyendusekhar Goswami, Fabian Monrose, and Jan-Michael Frahm. 2011. iSpy: Automatic reconstruction of typed input from compromising reflections. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS’11). ACM, New York, NY, 527--536. DOI:https://doi.org/10.1145/2046707.2046769Google ScholarDigital Library
Ashis Kumar Ratha, Shibani Sahu, and Priya Meher. 2018. HTML5 in web development: A new approach. International Research Journal of Engineering and Technology (IRJET) 5, 3 (2018). http://www.irjet.net.Google Scholar
Sasank Reddy, Min Mun, Jeff Burke, Deborah Estrin, Mark Hansen, and Mani Srivastava. 2010. Using mobile phones to determine transportation modes. ACM Trans. Sensor Netw. 6, 2 (2010), 13.Google ScholarDigital Library
Yanzhi Ren, Yingying Chen, Mooi Choo Chuah, and Jie Yang. 2013. Smartphone based user verification leveraging gait recognition for mobile healthcare systems. In Proceedings of the 10th IEEE Communications Society Conference on Sensor, Mesh and Ad Hoc Communications and Networks (SECON’13). IEEE, 149--157.Google ScholarCross Ref
Rich Tibbett, Tim Volodine, Steve Block, Andrei Popescu. 2018. Device orientation event. Retrieved from https://www.w3.org/TR/orientation-event/.Google Scholar
rovo89. 2018. Xposed framework. Retrieved from https://repo.xposed.info.Google Scholar
Quirin Scheitle, Oliver Hohlfeld, Julien Gamba, Jonas Jelten, Torsten Zimmermann, Stephen D. Strowes, and Narseo Vallina-Rodriguez. 2018. A long way to the top: Significance, structure, and stability of internet top lists. In Proceedings of the Internet Measurement Conference (IMC’18).Google ScholarDigital Library
Roman Schlegel, Kehuan Zhang, Xiao-yong Zhou, Mehool Intwala, Apu Kapadia, and XiaoFeng Wang. 2011. Soundcomber: A stealthy and context-aware sound trojan for smartphones. In Proceedings of the Network and Distributed System Security Symposium, Vol. 11. 17--33.Google Scholar
Chao Shen, Shichao Pei, Zhenyu Yang, and Xiaohong Guan. 2015. Input extraction via motion-sensor behavior analysis on smartphones. Comput. Secur. 53 (2015), 143--155.Google ScholarDigital Library
Laurent Simon and Ross Anderson. 2013. Pin skimmer: Inferring pins through the camera and microphone. In Proceedings of the 3rd ACM Workshop on Security and Privacy in Smartphones 8 Mobile Devices. ACM, 67--78.Google ScholarDigital Library
Peter Snyder, Lara Ansari, Cynthia Taylor, and Chris Kanich. 2016. Browser feature usage on the modern web. In Proceedings of the Internet Measurement Conference. ACM, 97--110.Google ScholarDigital Library
Peter Snyder, Cynthia Taylor, and Chris Kanich. 2017. Most websites don’t need to vibrate: A cost-benefit approach to improving browser security. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM, 179--194.Google ScholarDigital Library
Konstantinos Solomos, Panagiotis Ilia, Sotiris Ioannidis, and Nicolas Kourtellis. 2019. TALOS: An automated framework for cross-device tracking detection. In Proceedings of the International Symposium on Research in Attacks, Intrusions, and Defenses.Google Scholar
Raphael Spreitzer. 2014. Pin skimming: Exploiting the ambient-light sensor in mobile devices. In Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones 8 Mobile Devices. ACM, 51--62.Google ScholarDigital Library
Oleksii Starov and Nick Nikiforakis. 2018. PrivacyMeter: Designing and developing a privacy-preserving browser extension. In Proceedings of the International Symposium on Engineering Secure Software and Systems. Springer, 77--95.Google ScholarCross Ref
Greg Sterling. 2016. Mobile Devices Now Driving 56 Percent of Traffic to Top Sites. https://marketingland.com/mobile-top-sites-165725.Google Scholar
Allan Stisen, Henrik Blunck, Sourav Bhattacharya, Thor Siiger Prentow, Mikkel Baun Kjærgaard, Anind Dey, Tobias Sonne, and Mads Møller Jensen. 2015. Smart devices are different: Assessing and mitigating mobile sensing heterogeneities for activity recognition. In Proceedings of the 13th ACM Conference on Embedded Networked Sensor Systems (SenSys’15). ACM, New York, NY, 127--140. DOI:https://doi.org/10.1145/2809695.2809718Google ScholarDigital Library
Yuan Tian, Ying Chuan Liu, Amar Bhosale, Lin Shung Huang, Patrick Tague, and Collin Jackson. 2014. All your screens are belong to us: Attacks exploiting the HTML5 screen sharing API. In Proceedings of the IEEE Symposium on Security and Privacy (SP’14). IEEE, 34--48.Google ScholarDigital Library
Debra Trampe, Diederik A. Stapel, and Frans W. Siero. 2010. The self-activation effect of advertisements: Ads can affect whether and how consumers think about the self. J. Consum. Res. 37, 6 (10 2010), 1030--1045. DOI:https://doi.org/10.1086/657430Google Scholar
Sipat Triukose, Sebastien Ardon, Anirban Mahanti, and Aaditeshwar Seth. 2012. Geolocating IP addresses in cellular data networks. In Proceedings of the 13th International Conference on Passive and Active Measurement (PAM’12).Google ScholarDigital Library
Randika Upathilake, Yingkun Li, and Ashraf Matrawy. 2015. A classification of web browser fingerprinting techniques. In Proceedings of the 7th International Conference on New Technologies, Mobility and Security (NTMS’15). IEEE, 1--5.Google ScholarCross Ref
Pelayo Vallina, Alvaro Feal, Julien Gamba, Narseo Vallina-Rodriguez, and Antonio Fernandez Anta. 2019. Tales from the porn: A comprehensive privacy analysis of the web porn ecosystem. In Proceedings of the Internet Measurement Conference.Google ScholarDigital Library
Yong Wang, Daniel Burgener, Marcel Flores, Aleksandar Kuzmanovic, and Cheng Huang. 2011. Towards street-level client-independent IP geolocation. In Proceedings of the USENIX Symposium on Networked Systems Design and Implementation, Vol. 11.Google Scholar
Yi-Min Wang, Doug Beck, Jeffrey Wang, Chad Verbowski, and Brad Daniels. 2006. Strider typo-patrol: Discovery and analysis of systematic typo-squatting. Proceedings of the USENIX Steps to Reducing Unwanted Traffic on the Internet Conference (SRUTI’06). 31--36.Google Scholar
Takuya Watanabe, Mitsuaki Akiyama, and Tatsuya Mori. 2015. RouteDetector: Sensor-based positioning system that exploits spatio-temporal regularity of human mobility. In Proceedings of the 9th USENIX Workshop on Offensive Technologies (WOOT’15).Google Scholar
Yuxi Wu, Panya Gupta, Miranda Wei, Yasemin Acar, Sascha Fahl, and Blase Ur. 2018. Your secrets are safe: How browsers’ explanations impact misconceptions about private browsing mode. In Proceedings of the Conference on World Wide Web. International World Wide Web Conferences Steering Committee, 217--226.Google ScholarDigital Library
Yuanyi Wu, Dongyu Meng, and Hao Chen. 2017. Evaluating private modes in desktop and mobile browsers and their resistance to fingerprinting. In Proceedings of the IEEE Conference on Communications and Network Security (CNS’17). IEEE, 1--9.Google ScholarCross Ref
Chenren Xu, Sugang Li, Gang Liu, Yanyong Zhang, Emiliano Miluzzo, Yih-Farn Chen, Jun Li, and Bernhard Firner. 2013. Crowd++: Unsupervised speaker count with smartphones. In Proceedings of the ACM International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp’13). ACM, New York, NY, 43--52. DOI:https://doi.org/10.1145/2493432.2493435Google ScholarDigital Library
Zhi Xu, Kun Bai, and Sencun Zhu. 2012. Taplogger: Inferring user inputs on smartphone touchscreens using on-board motion sensors. In Proceedings of the 5th ACM Conference on Security and Privacy in Wireless and Mobile Networks.Google ScholarDigital Library
Shuochao Yao, Shaohan Hu, Yiran Zhao, Aston Zhang, and Tarek Abdelzaher. 2017. DeepSense: A unified deep learning framework for time-series mobile sensing data processing. In Proceedings of the 26th International Conference on World Wide Web (WWW’17). International World Wide Web Conferences Steering Committee, 351--360. DOI:https://doi.org/10.1145/3038912.3052577Google ScholarDigital Library
Jiexin Zhang, Alastair Beresford, and Ian Sheret. 2019. Sensorid: Sensor calibration fingerprinting for smartphones. In Proceedings of the IEEE Symposium on Security and Privacy (SP’19).Google ScholarCross Ref
Zhe Zhou, Wenrui Diao, Xiangyu Liu, and Kehuan Zhang. 2014. Acoustic fingerprinting revisited: Generate stable device ID stealthily with inaudible sound. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM, 429--440.Google ScholarDigital Library
Tong Zhu, Qiang Ma, Shanfeng Zhang, and Yunhao Liu. 2014. Context-free attacks using keyboard acoustic emanations. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’14). ACM, New York, NY, 453--464. DOI:https://doi.org/10.1145/2660267.2660296Google ScholarDigital Library
John Zulueta, Andrea Piscitello, Mladen Rasic, Rebecca Easter, Pallavi Babu, Scott A. Langenecker, Melvin McInnis, Olusola Ajilore, Peter C. Nelson, Kelly Ryan, et al. 2018. Predicting mood disturbance severity with mobile phone keystroke metadata: A BiAffect digital phenotyping study. J. Med. Internet Res. 20, 7 (2018).Google ScholarCross Ref

Index Terms

The Seven Deadly Sins of the HTML5 WebAPI: A Large-scale Study on the Risks of Mobile Sensor-based Attacks
1. Security and privacy
  1. Systems security
    1. Browser security
    2. Operating systems security
      1. Mobile platform security

Recommendations

A Large-scale Study on the Risks of the HTML5 WebAPI for Mobile Sensor-based Attacks
WWW '19: The World Wide Web Conference

Smartphone sensors can be leveraged by malicious apps for a plethora of different attacks, which can also be deployed by malicious websites through the HTML5 WebAPI. In this paper we provide a comprehensive evaluation of the multifaceted threat that ...
Read More
This Sneaky Piggy Went to the Android Ad Market: Misusing Mobile Sensors for Stealthy Data Exfiltration
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

Mobile sensors have transformed how users interact with modern smartphones and enhance their overall experience. However, the absence of sufficient access control for protecting these sensors enables a plethora of threats. As prior work has shown, ...
Read More
An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide Web

With the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Transactions on Privacy and Security Volume 23, Issue 4
November 2020
196 pages
ISSN:2471-2566
EISSN:2471-2574
DOI:10.1145/3409662
Editor:
David Basin
ETH Zurich, Switzerland
Issue’s Table of Contents
Copyright © 2020 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 6 July 2020
- Accepted: 1 May 2020
- Revised: 1 February 2020
- Received: 1 September 2019
Published in tops Volume 23, Issue 4

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Android
WebAPI
browser guidelines
mobile HTML5
mobile sensors
sensor attack taxonomy
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 9
  Total Citations
  View Citations
- 1,413
  Total Downloads
- Downloads (Last 12 months)618
- Downloads (Last 6 weeks)289
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

The Seven Deadly Sins of the HTML5 WebAPI: A Large-scale Study on the Risks of Mobile Sensor-based Attacks

ACM Transactions on Privacy and Security

Abstract

References

Cited By

Index Terms

Recommendations

A Large-scale Study on the Risks of the HTML5 WebAPI for Mobile Sensor-based Attacks

This Sneaky Piggy Went to the Android Ad Market: Misusing Mobile Sensors for Stealthy Data Exfiltration

An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective