Abstract
Conforming to the recent W3C specifications (www.w3.org/TR/orientation-event), modern mobile web browsers generally allow JavaScript code in a web page to access motion and orientation sensor data without the user's permission. The associated risks to user privacy are however not considered in W3C specifications. In this work, for the first time, we show how user privacy can be compromised using device motion and orientation sensor data available in-browser, despite the fact that the data rate is 5 to 10 times slower than what is attainable in-app. We examine different browsers on the Android and iOS platforms and study their policies in granting permissions to JavaScript code with respect to access to motion and orientation sensor data and identify multiple vulnerabilities. Based on our findings, we propose TouchSignatures, implementation of an attack in which malicious JavaScript code on an inactive tab listens to such sensor data measurements. Based on these streams, TouchSignatures is able to distinguish the user's touch actions (e.g., tap, scroll, hold, and zoom) on an active tab, allowing the remote website to learn the client-side user activities. Finally, we demonstrate the practicality of this attack by collecting real-world user data and reporting high success rates using our proof-of-concept implementation.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
