Effective Mobile Web User Fingerprinting via Motion Sensors

Motion sensors are often equipped on smartphones to enable rich app functionality and interactivity. However, they can also be exploited by attackers as powerful side-channels to compromise users' security and privacy due to the unrestricted sensor data access on modern smartphone platforms. In this paper, we investigate motion sensor based user fingerprinting attacks that can be pervasively performed to severely compromise the privacy of mobile web users. We formulate our user fingerprinting attacks as a typical multi-class classification problem, and design a framework with unified classifiers for effectively performing the attacks. We implement our attacking framework and evaluate it using the motion sensor data collected from 20 volunteers. The evaluation results demonstrate that our attacks are indeed very effective. For example, the user fingerprinting accuracy is higher than 85% by using a classifier unified from seven randomly selected individual classifiers each trained with the motion sensor data of only 10 letter keystrokes.

[1]  Haining Wang,et al.  A measurement study of insecure javascript practices on the web , 2013, TWEB.

[2]  Zhi Xu,et al.  TapLogger: inferring user inputs on smartphone touchscreens using on-board motion sensors , 2012, WISEC '12.

[3]  Gabi Nakibly,et al.  Mobile Device Identification via Sensor Fingerprinting , 2014, ArXiv.

[4]  Chris Jay Hoofnagle,et al.  Flash Cookies and Privacy , 2009, AAAI Spring Symposium: Intelligent Information Privacy Management.

[5]  Qi Han,et al.  Cross-site Input Inference Attacks on Mobile Web Users , 2017, SecureComm.

[6]  Arvind Narayanan,et al.  The Web Never Forgets: Persistent Tracking Mechanisms in the Wild , 2014, CCS.

[7]  Nikita Borisov,et al.  Do You Hear What I Hear?: Fingerprinting Smart Devices Through Embedded Acoustic Components , 2014, CCS.

[8]  Xiangyu Liu,et al.  Acoustic Fingerprinting Revisited: Generate Stable Device ID Stealthily with Inaudible Sound , 2014, CCS.

[9]  Chuan Yue Sensor-Based Mobile Web Fingerprinting and Cross-Site Input Inference Attacks , 2016, 2016 IEEE Security and Privacy Workshops (SPW).

[10]  Peter Eckersley,et al.  How Unique Is Your Web Browser? , 2010, Privacy Enhancing Technologies.

[11]  Wenyuan Xu,et al.  AccelPrint: Imperfections of Accelerometers Make Smartphones Trackable , 2014, NDSS.

[12]  Hao Chen,et al.  On the Practicality of Motion Based Keystroke Inference Attack , 2012, TRUST.

[13]  David Wetherall,et al.  Detecting and Defending Against Third-Party Tracking on the Web , 2012, NSDI.

[14]  Adam J. Aviv,et al.  Practicality of accelerometer side channels on smartphones , 2012, ACSAC '12.

[15]  Nikita Borisov,et al.  Tracking Mobile Web Users Through Motion Sensors: Attacks and Defenses , 2016, NDSS.

[16]  Romit Roy Choudhury,et al.  Tapprints: your finger taps have fingerprints , 2012, MobiSys '12.

[17]  Hovav Shacham,et al.  Pixel Perfect : Fingerprinting Canvas in HTML 5 , 2012 .

[18]  Wouter Joosen,et al.  Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting , 2013, 2013 IEEE Symposium on Security and Privacy.