Skip to main content
SpringerLink
Log in

Security Analysis of Mobile Web Browser Hardware Accessibility: Study with Ambient Light Sensors

  • Conference paper
  • First Online:
Book cover Information Security Applications (WISA 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11402))

Included in the following conference series:

Abstract

Mobile web browsers are evolved to support the functionalities presented by HTML5. With the hardware accessibility of HTML5, it is now possible to access sensor hardware of a mobile device through a web page regardless of the need for a mobile application. In this paper, we analyze the security impact of accessing sensor hardware of a mobile device from mobile web page. First, we present the test results of hardware accessibility from mobile web browsers. Second, to raise awareness of the seriousness of hardware accessibility, we introduce a new POC attack LightTracker which infers the victim’s location using light sensor. We also show the effectiveness of the attack in real world.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Aviv, A.J., Sapp, B., Blaze, M., Smith, J.M.: Practicality of accelerometer side channels on smartphones. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 41–50. ACM (2012)

    Google Scholar 

  2. Cai, L., Chen, H.: TouchLogger: inferring keystrokes on touch screen from smartphone motion. HotSec 11, 9 (2011)

    Google Scholar 

  3. Cai, L., Chen, H.: On the practicality of motion based keystroke inference attack. In: Katzenbeisser, S., Weippl, E., Camp, L.J., Volkamer, M., Reiter, M., Zhang, X. (eds.) Trust 2012. LNCS, vol. 7344, pp. 273–290. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30921-2_16

    Chapter  Google Scholar 

  4. Das, A., Borisov, N., Caesar, M.: Tracking mobile web users through motion sensors: attacks and defenses. In: Proceedings of the 23rd Annual Network and Distributed System Security Symposium (NDSS) (2016)

    Google Scholar 

  5. Dey, S., Roy, N., Xu, W., Choudhury, R.R., Nelakuditi, S.: AccelPrint: imperfections of accelerometers make smartphones trackable. In: NDSS (2014)

    Google Scholar 

  6. Diao, W., Liu, X., Zhou, Z., Zhang, K.: Your voice assistant is mine: how to abuse speakers to steal information and control your phone. In: Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones & Mobile Devices, pp. 63–74. ACM (2014)

    Google Scholar 

  7. Han, J., Owusu, E., Nguyen, L.T., Perrig, A., Zhang, J.: ACComplice: location inference using accelerometers on smartphones. In: 2012 Fourth International Conference on Communication Systems and Networks (COMSNETS), pp. 1–9. IEEE (2012)

    Google Scholar 

  8. HTML5TEST: how well does your browser support HTML5? (2017). https://html5test.com/results/mobile.html

  9. Kwapisz, J.R., Weiss, G.M., Moore, S.A.: Activity recognition using cell phone accelerometers. ACM SigKDD Explor. Newsl. 12(2), 74–82 (2011)

    Article  Google Scholar 

  10. Laperdrix, P., Rudametkin, W., Baudry, B.: Beauty and the beast: diverting modern web browsers to build unique browser fingerprints. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 878–894. IEEE (2016)

    Google Scholar 

  11. Mehrnezhad, M., Toreini, E., Shahandashti, S.F., Hao, F.: TouchSignatures: identification of user touch actions and PINs based on mobile sensor data via JavaScript. J. Inf. Secur. Appl. 26, 23–38 (2016)

    Google Scholar 

  12. Michalevsky, Y., Boneh, D., Nakibly, G.: Gyrophone: recognizing speech from gyroscope signals. In: USENIX Security, pp. 1053–1067 (2014)

    Google Scholar 

  13. Michalevsky, Y., Schulman, A., Veerapandian, G.A., Boneh, D., Nakibly, G.: PowerSpy: location tracking using mobile device power analysis. In: USENIX Security, pp. 785–800 (2015)

    Google Scholar 

  14. Miluzzo, E., Varshavsky, A., Balakrishnan, S., Choudhury, R.R.: TapPrints: your finger taps have fingerprints. In: Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services, pp. 323–336. ACM (2012)

    Google Scholar 

  15. Mowery, K., Shacham, H.: Pixel perfect: fingerprinting canvas in HTML5. In: Proceedings of W2SP, pp. 1–12 (2012)

    Google Scholar 

  16. Narain, S., Sanatinia, A., Noubir, G.: Single-stroke language-agnostic keylogging using stereo-microphones and domain specific machine learning. In: Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless & Mobile Networks, pp. 201–212. ACM (2014)

    Google Scholar 

  17. Narain, S., Vo-Huu, T.D., Block, K., Noubir, G.: Inferring user routes and locations using zero-permission mobile sensors. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 397–413. IEEE (2016)

    Google Scholar 

  18. Narain, S., Vo-Huu, T.D., Block, K., Noubir, G.: The perils of user tracking using zero-permission mobile apps. IEEE Secur. Priv. 15(2), 32–41 (2017)

    Article  Google Scholar 

  19. NETMARKETSHARE: Mobile/tablet top browser share trend (2017). https://www.netmarketshare.com/browser-market-share.aspx?qprid=1&qpcustomb=1

  20. Olejnik, Ł., Acar, G., Castelluccia, C., Diaz, C.: The leaking battery. In: Garcia-Alfaro, J., Navarro-Arribas, G., Aldini, A., Martinelli, F., Suri, N. (eds.) DPM/QASA -2015. LNCS, vol. 9481, pp. 254–263. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29883-2_18

    Chapter  Google Scholar 

  21. Owusu, E., Han, J., Das, S., Perrig, A., Zhang, J.: Accessory: password inference using accelerometers on smartphones. In: Proceedings of the Twelfth Workshop on Mobile Computing Systems & Applications, p. 9. ACM (2012)

    Google Scholar 

  22. Simon, L., Anderson, R.: PIN skimmer: inferring PINs through the camera and microphone. In: Proceedings of the Third ACM Workshop on Security and Privacy in Smartphones & Mobile Devices, pp. 67–78. ACM (2013)

    Google Scholar 

  23. Spreitzer, R.: PIN skimming: exploiting the ambient-light sensor in mobile devices. In: Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones & Mobile Devices, pp. 51–62. ACM (2014)

    Google Scholar 

  24. Van Goethem, T., Joosen, W., Nikiforakis, N.: The clock is still ticking: timing attacks in the modern web. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1382–1393. ACM (2015)

    Google Scholar 

  25. World Wide Web Consortium: Battery status API (2016). https://www.w3.org/TR/battery-status/

  26. World Wide Web Consortium: Geolocation API specification, 2nd (edn.) (2016). https://www.w3.org/TR/geolocation-API/

  27. World Wide Web Consortium: Vibration API, 2nd (edn.) (2016). https://www.w3.org/TR/vibration/

  28. World Wide Web Consortium: Ambient light sensor (2017). https://www.w3.org/TR/ambient-light/

  29. World Wide Web Consortium: HTML media capture (2017). https://www.w3.org/TR/html-media-capture/

  30. World Wide Web Consortium: Motion sensors explainer (2017). https://www.w3.org/TR/motion-sensors/

  31. Xu, Z., Bai, K., Zhu, S.: TapLogger: inferring user inputs on smartphone touchscreens using on-board motion sensors. In: Proceedings of the Fifth ACM conference on Security and Privacy in Wireless and Mobile Networks, pp. 113–124. ACM (2012)

    Google Scholar 

  32. Yue, C.: Sensor-based mobile web fingerprinting and cross-site input inference attacks. In: 2016 IEEE Security and Privacy Workshops (SPW), pp. 241–244. IEEE (2016)

    Google Scholar 

Download references

Acknowledgement

This work was supported by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIP) (No. 2017R1A2B4010914).

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Pohang University of Science and Technology (POSTECH), Pohang, South Korea

    Sanghak Lee, Sangwoo Ji & Jong Kim

  2. Defense Industry Technology Center (DITC), Pohang, South Korea

    Sanghak Lee

Authors
  1. Sanghak Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sangwoo Ji
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jong Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jong Kim .

Editor information

Editors and Affiliations

  1. Korea Advanced Institute of Science and Technology, Daejeon, Korea (Republic of)

    Brent ByungHoon Kang

  2. Korea Advanced Institute of Science and Technology, Daejeon, Korea (Republic of)

    JinSoo Jang

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Lee, S., Ji, S., Kim, J. (2019). Security Analysis of Mobile Web Browser Hardware Accessibility: Study with Ambient Light Sensors. In: Kang, B., Jang, J. (eds) Information Security Applications. WISA 2018. Lecture Notes in Computer Science(), vol 11402. Springer, Cham. https://doi.org/10.1007/978-3-030-17982-3_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-17982-3_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-17981-6

  • Online ISBN: 978-3-030-17982-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation