Abstract
Modern smartphone sensors can be leveraged for providing novel functionality and greatly improving the user experience. However, sensor data can be misused by privacy-invasive or malicious entities. Additionally, a wide range of other attacks that use mobile sensor data have been demonstrated; while those attacks have typically relied on users installing malicious apps, browsers have eliminated that constraint with the deployment of HTML5 WebAPI. In this article, we conduct a comprehensive evaluation of the multifaceted threat that mobile web browsing poses to users by conducting a large-scale study of mobile-specific HTML5 WebAPI calls across more than 183K of the most popular websites. We build a novel testing infrastructure consisting of actual smartphones on top of a dynamic Android app analysis framework, allowing us to conduct an end-to-end exploration. In detail, our system intercepts and tracks data access in real time, from the WebAPI JavaScript calls down to the Android system calls. Our study reveals the extent to which websites are actively leveraging the WebAPI for collecting sensor data, with 2.89% of websites accessing at least one sensor. To provide a comprehensive assessment of the risks of this emerging practice, we create a taxonomy of sensor-based attacks from prior studies and present an in-depth analysis by framing our collected data within that taxonomy. We find that 1.63% of websites can carry out at least one attack and emphasize the need for a standardized policy across all browsers and the ability for users to control what sensor data each website can access.
Highlights
Mobile phone usage has been on a constant rise, and smartphone devices have reached a nearubiquitous presence in many countries
We provide an overview of mobile-specific calls supported by the HTML5 WebAPI and present a taxonomy of attacks presented in prior work that relies on data provided by mobile sensors
We provide a comprehensive exploration of the mobile sensors that websites access through the use of mobile HTML5 WebAPI calls and analyze how this data can be used by websites to exfiltrate personal information about the user
Summary
Mobile phone usage has been on a constant rise, and smartphone devices have reached a nearubiquitous presence in many countries. Apart from the obvious usability benefits, smartphone devices have introduced a plethora of privacy risks In this post-Snowden era [58] users are becoming increasingly aware of privacy issues, including online tracking and internet surveillance, and employ private browsing among other techniques to remain anonymous online (despite overestimating the protection it offers [125]). Apart from enabling certain forms of user tracking (e.g., through the discontinued Battery API [96]), other sensor-based attacks that were previously restricted to mobile apps can be deployed over the web. To better explore this threat, we focus on all mobile-specific HTML5 WebAPI calls and subsequently explore the attacks that they enable. Our study focuses on the following WebAPI calls (which we refer to as mobile-specific for the remainder of the article): DeviceMotionEvent.acceleration [22]: This call provides web developers with information from the accelerometer sensor about the speed of changes in the device’s position, returning values expressed in m/s2 for all three X, Y, Z axes
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
