Wave-to-Access: Protecting Sensitive Mobile Device Services via a Hand Waving Gesture

Abstract

Mobile devices, such as smartphones and tablets, offer a wide variety of important services to everyday users. Many of these services (such as NFC payments) are highly sensitive and can be abused by malicious entities, without the knowledge of the device user, in the form of insider attacks (such as malware) and/or outsider attacks (such as unauthorized reading and relay attacks). In this paper, we present a novel application permission granting approach that can be used to protect any sensitive mobile device service. It captures user's intent to access the service via a lightweight hand waving gesture. This gesture is very simple, quick and intuitive for the user, but would be very hard for the attacker to exhibit without user's knowledge. We present the design and implementation of a hand waving gesture recognition mechanism using an ambient light sensor, already available on most mobile devices. We integrate this gesture with the phone dialing service as a specific use case to address the problem of malware that makes premium rate phone calls. We also report on our experiments to analyze the performance of our approach both in benign and adversarial settings. Our results indicate the approach to be quite effective in preventing the misuse of sensitive resources while imposing only minimal user burden.