TouchSignatures: Identification of User Touch Actions and PINs Based on Mobile Sensor Data via JavaScript

TY - JOUR

T1 - TouchSignatures

T2 - Identification of User Touch Actions and PINs Based on Mobile Sensor Data via JavaScript

AU - Mehrnezhad, Maryam

AU - Toreini, Ehsan

AU - Shahandashti, Siamak F.

AU - Hao, Feng

PY - 2016/2

Y1 - 2016/2

N2 - Conforming to W3C specifications, mobile web browsers allow JavaScript code in a web page to access motion and orientation sensor data without the user's permission. The associated risks to user security and privacy are however not considered in W3C specifications. In this work, for the first time, we show how user security can be compromised using these sensor data via browser, despite that the data rate is 3 to 5 times slower than what is available in app. We examine multiple popular browsers on Android and iOS platforms and study their policies in granting permissions to JavaScript code with respect to access to motion and orientation sensor data. Based on our observations, we identify multiple vulnerabilities, and propose TouchSignatures which implements an attack where malicious JavaScript code on an attack tab listens to such sensor data measurements. Based on these streams, TouchSignatures is able to distinguish the user's touch actions (i.e., tap, scroll, hold, and zoom) and her PINs, allowing a remote website to learn the client-side user activities. We demonstrate the practicality of this attack by collecting data from real users and reporting high success rates using our proof-of-concept implementations. We also present a set of potential solutions to address the vulnerabilities. The W3C community and major mobile browser vendors including Mozilla, Google, Apple and Opera have acknowledge our work and are implementing some of our proposed countermeasures.

AB - Conforming to W3C specifications, mobile web browsers allow JavaScript code in a web page to access motion and orientation sensor data without the user's permission. The associated risks to user security and privacy are however not considered in W3C specifications. In this work, for the first time, we show how user security can be compromised using these sensor data via browser, despite that the data rate is 3 to 5 times slower than what is available in app. We examine multiple popular browsers on Android and iOS platforms and study their policies in granting permissions to JavaScript code with respect to access to motion and orientation sensor data. Based on our observations, we identify multiple vulnerabilities, and propose TouchSignatures which implements an attack where malicious JavaScript code on an attack tab listens to such sensor data measurements. Based on these streams, TouchSignatures is able to distinguish the user's touch actions (i.e., tap, scroll, hold, and zoom) and her PINs, allowing a remote website to learn the client-side user activities. We demonstrate the practicality of this attack by collecting data from real users and reporting high success rates using our proof-of-concept implementations. We also present a set of potential solutions to address the vulnerabilities. The W3C community and major mobile browser vendors including Mozilla, Google, Apple and Opera have acknowledge our work and are implementing some of our proposed countermeasures.

KW - Mobile sensors

KW - JavaScript attack

KW - Mobile browsers

KW - Mobile security

KW - Touch actions

KW - PIN

KW - PINs

UR - http://www.scopus.com/inward/record.url?scp=84957715623&partnerID=8YFLogxK

U2 - 10.1016/j.jisa.2015.11.007

DO - 10.1016/j.jisa.2015.11.007

M3 - Article

SN - 2214-2126

VL - 26

SP - 23

EP - 38

JO - Journal of Information Security and Applications

JF - Journal of Information Security and Applications

ER -