Skip to main content

Advertisement

Springer Nature Link
Log in

STMAD: sensor-based threat’s mitigation on smartphones using allowlist and denylist

  • Published:
The Journal of Supercomputing Aims and scope Submit manuscript

Abstract

Sensors play a vital role in the smartphone for sensing-enabled mobile activities and applications. Different sources, like mobile applications and websites, access the sensors and use them for various purposes. The user needs permission to access the permission-imposed sensors. Using the generic sensor application programming interface, the user can access the no-permission-imposed sensors directly without any permission. Attackers target these sensors and make the smartphones vulnerable at the application, device and network levels. The attackers access the sensor’s information and use it for different purposes like personal identification number identification and user personal information theft. This paper presents STMAD, a novel allowlist-based intrusion prevention system to mitigate sensor-based threats on smartphones by detecting malicious access of an attacker through different channels. STMAD functions as a lightweight preventive mechanism for all sensors on the smartphone and preventing attackers from accessing sensors maliciously. The experimental results show that the proposed defense mechanism is more efficient and consumes minimal overhead. An informal security analysis also proved that the STMAD protects against various attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Similar content being viewed by others

References

  1. Sikder AK, Acar A, Aksu H, Uluagac AS, Akkaya K, Conti M (2018) IoT-enabled smart lighting systems for smart cities. In: IEEE 8th Annual Computing and Communication Workshop and Conference (CCWC). Las Vegas, NV, 2018, pp 639–645

  2. Poslad S (2009) Ubiquitous computing: smart devices, environments and interactions. Wiley, New York, pp 41–73

    Book  Google Scholar 

  3. Chan M, Campo E, Estève D, Fourniols J-Y (2009) Smart homes-current features and future perspectives. Maturitas 64(2):90–97

    Article  Google Scholar 

  4. Otebolaku AM, Andrade MT (2016) User context recognition using smartphone sensors and classification models. J Netw Comput Appl 66:33–51

    Article  Google Scholar 

  5. Can Z, Demirbas M (2015) Smartphone-based data collection from wireless sensor networks in an urban environment. J Netw Comput Appl 58:208–216

    Article  Google Scholar 

  6. Uluagac AS, Subramanian V, Beyah R (2014) Sensory channel threats to cyber physical systems: a wake-up call. In: 2014 IEEE Conference on Communications and Network Security. IEEE, pp 301–309

  7. Diamantaris M, Marcantoni F, Ioannidis S, Polakis J (2020) The seven deadly sins of the HTML5 WebAPI: a large-scale study on the risks of mobile sensor-based attacks. ACM Trans Privacy Secur (TOPS) 23(4):1–31

    Article  Google Scholar 

  8. Halevi T, Saxena N (2012) A closer look at keyboard acoustic emanations: random passwords, typing styles and decoding techniques. In: Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security, pp 89–90

  9. Maiti A, Armbruster O, Jadliwala M, He J (2016) Smartwatch-based keystroke inference attacks and context-aware protection mechanisms. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp 795–806

  10. Hasan R, Saxena N, Haleviz T, Zawoad S, Rinehart D (2013) Sensing-enabled channels for hard-to-detect command and control of mobile devices. In: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security, pp 469–480

  11. MEMS Accelerometer Hardware Design Flaws (2019) (Update A) [Online]. https://www.us-cert.gov/ics/alerts/ICS-ALERT-17-073-01A. Accessed 5 June

  12. Sikder AK, Aksu H, Uluagac AS (2017) 6thsense: a context-aware sensor-based attack detector for smart devices. In: 26th USENIX Security Symposium (USENIX Security 17), pp 397–414

  13. Sikder AK, Petracca G, Aksu H, Jaeger T, Uluagac AS (2021) A survey on sensor-based threats and attacks to smart devices and applications. IEEE Commun Surv Tutor 23(2):1125–1159

    Article  Google Scholar 

  14. Syrris V, Geneiatakis D (2021) On machine learning effectiveness for malware detection in Android OS using static analysis data. J Inf Secur Appl 59:102794

    Google Scholar 

  15. Mathur A, Podila LM, Kulkarni K, Niyaz Q, Javaid AY (2021) NATICUSdroid: a malware detection framework for Android using native and custom permissions. J Inf Secur Appl 58:102696

    Google Scholar 

  16. Faruki P, Laxmi V, Bharmal A, Gaur MS, Ganmoor V (2015) AndroSimilar: Robust signature for detecting variants of Android malware. J Inf Secur Appl 22:66–80

    Google Scholar 

  17. Xu Z, Zhu S (2015) SemaDroid: a privacy-aware sensor management framework for smartphones. In: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, pp 61–72

  18. Petracca G, Sun Y, Jaeger T, Atamli A (2015) Audroid: preventing attacks on audio channels in mobile devices. In: Proceedings of the 31st Annual Computer Security Applications Conference, pp 181–190

  19. VirusTotal (2020) [Online]. https://www.virustotal.com/gui/. Accessed June 19

  20. MetaDefender (2020) [Online]. https://metadefender.opswat.com/? lang=en. Accessed June 19

  21. ThreatLog (2020) [Online]. https://www.threatlog.com/. Accessed June 19

  22. VirSCAN (2020) [Online]. https://www.virscan.org/. Accessed June 19

  23. Subramanian V, Uluagac S, Cam H, Beyah R (2013) Examining the characteristics and implications of sensor side channels. In: 2013 IEEE International Conference on Communications (ICC). IEEE, pp 2205–2210

  24. Anand SA, Saxena N (2018) Speechless: analyzing the threat to speech privacy from smartphone motion sensors. In: 2018 IEEE Symposium on Security and Privacy (SP). IEEE, pp 1000–1017

  25. Michalevsky Y, Boneh D, Nakibly G (2014) Gyrophone: recognizing speech from gyroscope signals. In: 23rd USENIX Security Symposium (USENIX Security 14), pp 1053–1067

  26. The Gyroscope in your phone could let Apps Eavesdrop on Conversations (2019) [Online]. https://www.wired.com/2014/08/ gyroscope-listening-hack/. Accessed June 12

  27. Cai L, Chen H (2012) On the practicality of motion based keystroke inference attack. In: Trust and trustworthy computing. Springer, Berlin, pp 273–290 [Online]. https://link.springer.com/chapter/10.1007/978-3-642-30921-2_16

  28. Nguyen T (2015) Using unrestricted mobile sensors to infer tapped and traced user inputs. In: 2015 12th International Conference on Information Technology-New Generations. IEEE, pp 151–156

  29. Shen C, Pei S, Yang Z, Guan X (2015) Input extraction via motion-sensor behavior analysis on smartphones. Comput Secur 53:143–155

    Article  Google Scholar 

  30. Wang H, Lai TT-T, Choudhury RR (2015) Mole: motion leaks through smartwatch sensors. In: Proceedings of the 21st Annual International Conference on Mobile Computing and Networking, pp 155–166

  31. Smartphone jiggles reveal your private data, 2011 (2020) [Online]. https://www.newscientist.com/article/mg21128255-200-smartphone-jiggles-reveal-your-private-data/. Accessed May 19

  32. Aviv AJ, Sapp B, Blaze M, Smith JM (2012) Practicality of accelerometer side channels on smartphones. In: Proceedings of the 28th annual computer security applications conference, pp 41–50

  33. Mohamed M, Shrestha B, Saxena N (2016) Smashed: sniffing and manipulating android sensor data for offensive purposes. IEEE Trans Inf Forensics Secur 12(4):901–913

    Article  Google Scholar 

  34. Miluzzo E, Varshavsky A, Balakrishnan S, Choudhury RR (2012) Tapprints: your finger taps have fingerprints. In: Proceedings of the 10th international Conference on Mobile systems, applications, and services, pp 323–336

  35. Ping D, Sun X, Mao B (2015) Textlogger: inferring longer inputs on touch screen using motion sensors. In: Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks, pp 1–12

  36. Narain S, Sanatinia A, Noubir G (2014) Single-stroke language-agnostic keylogging using stereo-microphones and domain specific machine learning. In: Proceedings of the 2014 ACM Conference on Security and privacy in wireless & mobile networks, pp 201–212

  37. Cai L, Chen H (2011) TouchLogger: inferring keystrokes on touch screen from smartphone motion. HotSec 11(2011):9

    Google Scholar 

  38. Son Y, Shin H, Kim D, Park Y, Noh J, Choi K, Choi J, Kim Y (2015) Rocking drones with intentional sound noise on gyroscopic sensors. In 24th USENIX security symposium (USENIX Security 15), pp 881–896

  39. Sikder AK, Abbas A, Aksu H, Uluagac AS, Akkaya K, Conti M (2018) IoT-enabled smart lighting systems for smart cities. In: 2018 IEEE 8th Annual Computing and Communication Workshop and Conference (CCWC). IEEE, pp 639–645

  40. Spreitzer R (2014) Pin skimming: exploiting the ambient-light sensor in mobile devices. In: Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones & Mobile Devices, pp 51–62

  41. Stealing sensitive browser data with the W3C Ambient Light Sensor API, 2017 (2020) [Online]. https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/. Accessed June 19

  42. Additional security and privacy risks of light sensors, 2016. (2020) [Online]. https://blog.lukaszolejnik.com/additional-security-and-privacy-risks-of-light-sensors/. Accessed March 14

  43. Foo Kune D, Kim Y (2010) Timing attacks on pin input devices. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp 678–680

  44. Schlegel R, Zhang K, Zhou X, Intwala M, Kapadia A, Wang XF (2011) Soundcomber: a Stealthy and Context-Aware Sound Trojan for Smartphones. In NDSS, vol 11, pp 17–33

  45. Gong Y, Yang J, Huber J, MacKnight M, Poellabauer C (2019) ReMASC: realistic replay attack corpus for voice controlled systems. arXiv preprint arXiv:1904.03365

  46. Cardaioli M, Conti M, Balagani K, Gasti P (2019) Your PIN sounds good! on the feasibility of PIN inference through audio leakage. arXiv preprint arXiv:1905.08742

  47. Gupta S, Anand S, Rai A (2017) Fingerprint extraction using smartphone camera. arXiv preprint arXiv:1708.00884

  48. Simon L, Anderson R (2013) Pin skimmer: inferring pins through the camera and microphone. In: Proceedings of the Third ACM workshop on Security and privacy in smartphones & mobile devices, pp 67–78

  49. Meng W, Lee WH, Murali SR, Krishnan SPT (2015) Charging me and I know your secrets! Towards juice filming attacks on smartphones. In: Proceedings of the 1st ACM workshop on cyber-physical system security, pp 89–98

  50. Shukla D, Kumar R, Serwadda A, Phoha VV (2014) Beware, your hands reveal your secrets!. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp 904–917

  51. Smartphone Pin revealed by camera and microphone, 2013. (2020) [Online]. https://www.bbc.com/news/technology-24897581/. Accessed June 12

  52. Tippenhauer NO, Pöpper C, Rasmussen KB, Capkun S (2011) On the requirements for successful GPS spoofing attacks. In: Proceedings of the 18th ACM Conference on Computer and communications security, pp 75–86

  53. Coffed J (2020) The threat of GPS jamming: the risk to an information utility. 2014. Exelis, Inc. [Online]. http://gpsworld.com/wp-content/uploads/2014/02/ThreatOfGPSJam-ming_FEB14. pdf. Accessed on July 19

  54. Pongaliur K, Abraham Z, Liu AX, Xiao L, Kempel L (2008) Securing sensor nodes against side channel attacks. In 2008 11th IEEE high assurance systems engineering symposium. IEEE, pp 353–361

  55. Petracca G, Reineh A-A, Sun Y, Grossklags J, Jaeger T (2017) Aware: preventing abuse of privacy-sensitive sensors via operation bindings. In: 26th USENIX security symposium (USENIX Security 17), pp 379–396

  56. Jana S, Narayanan A, Shmatikov V (2013) A scanner darkly: protecting user privacy from perceptual applications. In: 2013 IEEE symposium on security and privacy. IEEE, pp 349-363

  57. Sikder A, Aksu H, Uluagac A (2020) A context-aware framework for detecting sensor-based threats on smart devices. IEEE Trans Mob Comput 19(02):245–261

    Article  Google Scholar 

  58. Habibi J, Midi D, Mudgerikar A, Bertino E (2017) Heimdall: mitigating the internet of insecure things. IEEE Internet Things J 4(4):968–978

    Article  Google Scholar 

  59. Mobile Websites Can Tap Into Your Phone’s Sensors Without Asking, 2018 (2020) [Online]. https://www.wired.com/story/mobile-websites-can-tap-into-your-phones-sensors-without-asking/. Accessed June 19

  60. Smartphone Market Share (2019) [Online]. https://www.idc.com/ promo/smartphone-market-share/os. Accessed 12 June 2019

  61. Han W, Cao C, Chen H, Li D, Fang Z, Xu W, Wang XS (2017) sendroid: auditing sensor access in android system-wide. IEEE Trans Dependable Secure Comput 17(2):407–421

    Article  Google Scholar 

  62. Mobile operating systems market share worldwide from January 2012 to January 2022, (2022). https://www.statista.com/statistics/272698/global-market-share-held-by-mobile-operating-systems-since-2009/ Accessed March 30

  63. Number of apps installed by mobile users in the United States as of 3rd quarter 2019 (2021) [Online]. https://www.statista.com/statistics/267309/number-of-apps-on-mobile-phones/. Accessed January 18

  64. How many web pages do people visit per day? (2021) [Online]. https://kickstand.typepad.com/metamuse/2007/10/how-many-web-pa.html. Accessed January 18

  65. Allix K, Bissyandé TF, Klein J, Traon YL (2016) Androzoo: collecting millions of android apps for the research community. In: 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR). IEEE, pp 468–471

  66. Marcantoni F, Diamantaris M, Ioannidis S, Polakis J (2019) A large-scale study on the risks of the html5 webapi for mobile sensor-based attacks. In: The World Wide Web Conference, pp 3063–3071

Download references

Author information

Authors and Affiliations

  1. Department of Computer Applications, National Institute of Technology, Tiruchirappalli, India

    S. Manimaran & N. P. Gopalan

  2. Centre for Mobile Banking (CMB), Institute for Development and Research in Banking Technology, Hyderabad, India

    S. Manimaran & V. N. Sastry

Authors
  1. S. Manimaran
    View author publications

    You can also search for this author inPubMed Google Scholar

  2. V. N. Sastry
    View author publications

    You can also search for this author inPubMed Google Scholar

  3. N. P. Gopalan
    View author publications

    You can also search for this author inPubMed Google Scholar

Corresponding author

Correspondence to S. Manimaran.

Ethics declarations

Conflict of interest

On behalf of all authors, the corresponding author states that there is no conflict of interest.

Data availability

The datasets analyzed during the current study are available from the corresponding author on reasonable request.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Manimaran, S., Sastry, V.N. & Gopalan, N.P. STMAD: sensor-based threat’s mitigation on smartphones using allowlist and denylist. J Supercomput 78, 16336–16363 (2022). https://doi.org/10.1007/s11227-022-04523-2

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11227-022-04523-2

Keywords