Skip to content Skip to navigation
University of Warwick
  • Study
  • |
  • Research
  • |
  • Business
  • |
  • Alumni
  • |
  • News
  • |
  • About

University of Warwick
Publications service & WRAP

Highlight your research

  • WRAP
    • Home
    • Search WRAP
    • Browse by Warwick Author
    • Browse WRAP by Year
    • Browse WRAP by Subject
    • Browse WRAP by Department
    • Browse WRAP by Funder
    • Browse Theses by Department
  • Publications Service
    • Home
    • Search Publications Service
    • Browse by Warwick Author
    • Browse Publications service by Year
    • Browse Publications service by Subject
    • Browse Publications service by Department
    • Browse Publications service by Funder
  • Help & Advice
University of Warwick

The Library

  • Login
  • Admin

TouchSignatures : identification of user touch actions based on mobile sensors via JavaScript

Tools
- Tools
+ Tools

Mehrnezhad, Maryam, Toreini, Ehsan, Shahandashti, Siamak F. and Hao, Feng (2015) TouchSignatures : identification of user touch actions based on mobile sensors via JavaScript. In: 10th ACM Symposium on Information, Computer and Communications Security , Singapore, 2015. Published in: ASIA CCS '15 p. 673. ISBN 9781450332453 . doi:10.1145/2714576.2714650

Research output not available from this repository, contact author.
Official URL: http://dx.doi.org/10.1145/2714576.2714650

Request Changes to record.

Abstract

Conforming to W3C specifications, mobile web browsers allow JavaScript code in a web page to access motion and orientation sensor data without the user's permission. The associated risks to user security and privacy are however not considered in W3C specifications. In this work, for the first time, we show how user security can be compromised using these sensor data via browser, despite that the data rate is 3–5 times slower than what is available in app. We examine multiple popular browsers on Android and iOS platforms and study their policies in granting permissions to JavaScript code with respect to access to motion and orientation sensor data. Based on our observations, we identify multiple vulnerabilities, and propose TouchSignatures which implements an attack where malicious JavaScript code on an attack tab listens to such sensor data measurements. Based on these streams, TouchSignatures is able to distinguish the user's touch actions (i.e., tap, scroll, hold, and zoom) and her PINs, allowing a remote website to learn the client-side user activities. We demonstrate the practicality of this attack by collecting data from real users and reporting high success rates using our proof-of-concept implementations. We also present a set of potential solutions to address the vulnerabilities. The W3C community and major mobile browser vendors including Mozilla, Google, Apple and Opera have acknowledged our work and are implementing some of our proposed countermeasures.

Item Type: Conference Item (Paper)
Divisions: Faculty of Science > Computer Science
Journal or Publication Title: ASIA CCS '15
Publisher: ACM
ISBN: 9781450332453
Book Title: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security - ASIA CCS '15
Official Date: 2015
Dates:
DateEvent
2015Published
Page Range: p. 673
DOI: 10.1145/2714576.2714650
Status: Not Peer Reviewed
Publication Status: Published
Access rights to Published version: Restricted or Subscription Access
Conference Paper Type: Paper
Title of Event: 10th ACM Symposium on Information, Computer and Communications Security
Type of Event: Conference
Location of Event: Singapore
Date(s) of Event: 2015

Request changes or add full text files to a record

Repository staff actions (login required)

View Item View Item
twitter

Email us: wrap@warwick.ac.uk
Contact Details
About Us