skip to main content
10.1145/2714576.2714650acmconferencesArticle/Chapter ViewAbstractPublication Pagesasia-ccsConference Proceedingsconference-collections
poster

TouchSignatures: Identification of User Touch Actions based on Mobile Sensors via JavaScript

Published: 14 April 2015 Publication History

Abstract

Conforming to the recent W3C specifications (www.w3.org/TR/orientation-event), modern mobile web browsers generally allow JavaScript code in a web page to access motion and orientation sensor data without the user's permission. The associated risks to user privacy are however not considered in W3C specifications. In this work, for the first time, we show how user privacy can be compromised using device motion and orientation sensor data available in-browser, despite the fact that the data rate is 5 to 10 times slower than what is attainable in-app. We examine different browsers on the Android and iOS platforms and study their policies in granting permissions to JavaScript code with respect to access to motion and orientation sensor data and identify multiple vulnerabilities. Based on our findings, we propose TouchSignatures, implementation of an attack in which malicious JavaScript code on an inactive tab listens to such sensor data measurements. Based on these streams, TouchSignatures is able to distinguish the user's touch actions (e.g., tap, scroll, hold, and zoom) on an active tab, allowing the remote website to learn the client-side user activities. Finally, we demonstrate the practicality of this attack by collecting real-world user data and reporting high success rates using our proof-of-concept implementation.

Cited By

View all
  • (2023)A Practical Deep Learning-Based Acoustic Side Channel Attack on Keyboards2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW59978.2023.00034(270-280)Online publication date: Jul-2023
  • (2020)MISSILE: A System of Mobile Inertial Sensor-Based Sensitive Indoor Location EavesdroppingIEEE Transactions on Information Forensics and Security10.1109/TIFS.2019.294403415(3137-3151)Online publication date: 2020
  • (2019)What Is This Sensor and Does This App Need Access to It?Informatics10.3390/informatics60100076:1(7)Online publication date: 24-Jan-2019
  • Show More Cited By

Index Terms

  1. TouchSignatures: Identification of User Touch Actions based on Mobile Sensors via JavaScript

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security
      April 2015
      698 pages
      ISBN:9781450332453
      DOI:10.1145/2714576
      Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 14 April 2015

      Check for updates

      Author Tags

      1. classifier
      2. javascript attack
      3. mobile browser
      4. mobile sensors
      5. touch actions
      6. user privacy

      Qualifiers

      • Poster

      Funding Sources

      • ERC Starting Grant

      Conference

      ASIA CCS '15
      Sponsor:
      ASIA CCS '15: 10th ACM Symposium on Information, Computer and Communications Security
      April 14 - March 17, 2015
      Singapore, Republic of Singapore

      Acceptance Rates

      ASIA CCS '15 Paper Acceptance Rate 48 of 269 submissions, 18%;
      Overall Acceptance Rate 418 of 2,322 submissions, 18%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)4
      • Downloads (Last 6 weeks)1
      Reflects downloads up to 15 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2023)A Practical Deep Learning-Based Acoustic Side Channel Attack on Keyboards2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW59978.2023.00034(270-280)Online publication date: Jul-2023
      • (2020)MISSILE: A System of Mobile Inertial Sensor-Based Sensitive Indoor Location EavesdroppingIEEE Transactions on Information Forensics and Security10.1109/TIFS.2019.294403415(3137-3151)Online publication date: 2020
      • (2019)What Is This Sensor and Does This App Need Access to It?Informatics10.3390/informatics60100076:1(7)Online publication date: 24-Jan-2019
      • (2019)Prying into Private Spaces Using Mobile Device Motion Sensors2019 17th International Conference on Privacy, Security and Trust (PST)10.1109/PST47121.2019.8949056(1-10)Online publication date: Aug-2019
      • (2018)The Web's Sixth SenseProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243860(1515-1532)Online publication date: 15-Oct-2018
      • (2018)Making sense of sensorsProceedings of the 7th Workshop on Socio-Technical Aspects in Security and Trust10.1145/3167996.3168001(40-52)Online publication date: 5-Dec-2018
      • (2018)Stealing PINs via mobile sensorsInternational Journal of Information Security10.1007/s10207-017-0369-x17:3(291-313)Online publication date: 1-Jun-2018
      • (2016)NFC Payment Spy: A Privacy Attack on Contactless PaymentsSecurity Standardisation Research10.1007/978-3-319-49100-4_4(92-111)Online publication date: 2-Nov-2016

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media