Making sense of sensors: mobile sensor security awareness and education

Mobile sensors have already proved to be helpful to different aspects of people's everyday lives such as fitness, gaming, navigation, etc. However, illegitimate access to these sensors provides a malicious program running with an exploit path. While the users are benefiting from richer and more personalized apps, the growing number of sensors introduces new security and privacy risks to end users, and makes the task of sensor management more complex. In this paper, first, we discuss the issues around security and privacy of mobile sensors. Second, we reflect the results of a workshop which we organized on mobile sensor security. In this workshop, the participants are introduced to mobile sensors by working with sensor-enabled apps. We evaluate the risk levels perceived by the participants for these sensors after they learn their functionalities. The results show that knowing sensors by working with sensor-enabled apps would not immediately improve the users' security inference of the actual risks of these sensors. Finally, we provide recommendations for educators, app developers, and mobile users to contribute toward awareness and education on this topic.

[1]  Xiang-Yang Li,et al.  SilentSense: silent user identification via touch and movement behavioral biometrics , 2013, MobiCom.

[2]  Feng Hao,et al.  TouchSignatures: Identification of User Touch Actions based on Mobile Sensors via JavaScript , 2015, AsiaCCS.

[3]  Feng Hao,et al.  Tap-Tap and Pay (TTP): Preventing the Mafia Attack in NFC Payment , 2015, SSR.

[4]  Ross J. Anderson,et al.  PIN skimmer: inferring PINs through the camera and microphone , 2013, SPSM '13.

[5]  Murtuza Jadliwala,et al.  Information Leakage through Mobile Motion Sensors: User Awareness and Concerns , 2017 .

[6]  S. Sismondo An Introduction to Science and Technology Studies , 2003 .

[7]  M. Angela Sasse,et al.  Obstacles to the Adoption of Secure Communication Tools , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[8]  Feng Hao,et al.  TouchSignatures: Identification of user touch actions and PINs based on mobile sensor data via JavaScript , 2016, J. Inf. Secur. Appl..

[9]  Brian Wynne,et al.  Misunderstood misunderstanding: social identities and public uptake of science , 1992 .

[10]  Stephen Hilgartner,et al.  The Dominant View of Popularization: Conceptual Problems, Political Uses , 1990 .

[11]  Heinrich Hußmann,et al.  Touch me once and i know it's you!: implicit authentication based on touch screen patterns , 2012, CHI.

[12]  Matthew Green,et al.  Developers are Not the Enemy!: The Need for Usable Security APIs , 2016, IEEE Security & Privacy.

[13]  Adi Shamir,et al.  IoT Goes Nuclear: Creating a ZigBee Chain Reaction , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[14]  Feng Hao,et al.  Stealing PINs via mobile sensors: actual risk versus user perception , 2016, International Journal of Information Security.

[15]  Feng Hao,et al.  NFC Payment Spy: A Privacy Attack on Contactless Payments , 2016, SSR.

[16]  René Mayrhofer,et al.  Shake Well Before Use: Authentication Based on Accelerometer Data , 2007, Pervasive.

[17]  Ivan Martinovic,et al.  A Longitudinal Study of App Permission Usage across the Google Play Store , 2016, ArXiv.

[18]  Heng Yin,et al.  Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation , 2014, CCS.

[19]  Jan Hauke,et al.  Comparison of Values of Pearson's and Spearman's Correlation Coefficients on the Same Sets of Data , 2011 .

[20]  Yan Zhu,et al.  Tap-Wave-Rub: lightweight malware prevention for smartphones using intuitive human gestures , 2013, WiSec '13.

[21]  Zhi Xu,et al.  TapLogger: inferring user inputs on smartphone touchscreens using on-board motion sensors , 2012, WISEC '12.

[22]  Raphael Spreitzer,et al.  PIN Skimming: Exploiting the Ambient-Light Sensor in Mobile Devices , 2014, SPSM@CCS.