TOUCHSIGNATURES Maryam Mehrnezhad, Ehsan Toreini, Siamak F. Shahandashti, Feng Hao Newcastle University CryptoForma meeting, Belfast 4 May 2015.

Slides:

Advertisements

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Advertisements

1 The phone in the cloud Utilizing resources hosted anywhere Claes Nilsson.

Welcome to the Award Winning Easiest to Use & Most Advanced View, Manage, and Control Security, Access Control, Video, Energy & Lighting Systems, & Critical.

On the Privacy of Private Browsing Kiavash Satvat, Matt Forshaw, Feng Hao, Ehsan Toreini Newcastle University DPM’13.

Accelerometer-based Transportation Mode Detection on Smartphones

Multi-criteria infrastructure for location-based applications Shortly known as: Localization Platform Ronen Abraham Ido Cohen Yuval Efrati Tomer Sole'

MWD3002 Multiplatform Applications Week 5 – Designing for Mobile.

Smartphone Touchless Screen

DeVry University Donelle Vance. GRAB - The Cross Platform iPhone, iPad & Android Phone Sharing Application August 2011.

Presented by Kasandra Isaac

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

OWASP Mobile Top 10 Why They Matter and What We Can Do

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

Presentation By Deepak Katta

JRN 440 Adv. Online Journalism Internet Growth Wednesday, 4/11/12.

Confidential Crisis Management Innovations, LLC. CMI CrisisPad TM Product Overview Copyright © 2011, Crisis Management Innovations, LLC. All Rights Reserved.

A Comparative Evaluation of HTML5 as a Pervasive Media Platform By Tom Melamed HP Ben Clayton HP Labs.

Live MobiCast using node.js Ajay Narayan ( ) Deepak Kumar Agarwal ( ) Nishchint Raina ( )

Phish your victims in 5 quick steps. Phish yourself today In less than 5 minutes What is Phish5? Phish5 is a Security Awareness service With Phish5, a.

GIS technologies and Web Mapping Services

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Design Extensions to Google+ CS6204 Privacy and Security.

SoundSense by Andrius Andrijauskas. Introduction  Today’s mobile phones come with various embedded sensors such as GPS, WiFi, compass, etc.  Arguably,

Inferno : Side-channel Attacks for Mobile Web Browsers Manuel Philipose, Matthew Halpern, Pavel Lifshits, Mark Silberstein, Mohit Tiwari Background and.

Integrate your game with Windows platform Vladimir Kolesnikov Technical Evangelist

Using Referral Marketing. Iphone 3G is the latest Iphone, and, using referral marketing, they’re available free.

July 25, 2010 SensorKDD Activity Recognition Using Cell Phone Accelerometers Jennifer Kwapisz, Gary Weiss, Samuel Moore Department of Computer &

September Activity Recognition and Biometric Identification Using Cell Phone Accelerometers WISDM Project Department of Computer & Info. Science.

TEMPLATE DESIGN © Detecting User Activities Using the Accelerometer on Android Smartphones Sauvik Das, Supervisor: Adrian.

Smart Phone Laboratory ECEN 489 Srinivas Shakkottai.

TouchLogger: Inferring Keystrokes on Touch Screen from Smartphone Motion Liang Cai and Hao Chen UC Davis.

An Empirical Study of Visual Security Cues to Prevent the SSLstripping Attack Dongwan Shin and Rodrigo Lopes In Proc. 27 th Annual Computer Security Applications.

Maryam Mehrnezhad Feng Hao Siamak F. Shahandashti Newcastle university, UK CryptoForma meeting, Belfast 4 May 2015 Tap-Tap and Pay (TTP): Preventing The.

Mobile web Sebastian Lopienski IT Technical Forum 29 June 2012.

The Second Life of a Sensor: Integrating Real-World Experience in Virtual Worlds using Mobile Phones Mirco Musolesi, Emiliano Miluzzo, Nicholas D. Lane,

THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.

HTML5 Video Player For SharePoint HTML5 Background Why creating video player in HTML5 is easy? Can we do it without Javascript? Easy or Difficult?

Web Technologies Lecture 8 Server side web. Client Side vs. Server Side Web Client-side code executes on the end-user's computer, usually within a web.

Organisations and Data Management 1 Data Collection: Why organisations & individuals acquire data & supply data via websites 2Techniques used by organisations.

FriendFinder Location-aware social networking on mobile phones.

Mobile web vs apps compared. Pro's of mobile web Accessible through any browser Doesn't require app download Load page by page Good for SEO Will have.

FriendFinder Location-aware social networking on mobile phones.

1 Eurostat products for mobile devices Working Group "European Statistical Data Support“ February 2012 Matthias Fritz, Dissemination Unit.

PAYware Mobile Blackberry Comparison March Discussion Topics Obtaining the App PAYware Mobile App Determining Model and system information such.

Cevgroup.org C utting E dge V isionaries. cevgroup.org TODAY’s TALK 1) Internet Of Things (IoT) 2) Wi-Fi Controlled Robots 3) Augmented Reality.

FriendFinder Location-aware social networking on mobile phones.

Power Guru: Implementing Smart Power Management on the Android Platform Written by Raef Mchaymech.

1 ©2010 SciQuest, Inc. Confidential SciQuest, Inc. Confidential. 1 Approval Enhancements.

Learn AngularJS by Building 10 projects. Introduction to AngularJS An Open source web application framework by Google Written in JavaScript offers complete.

JavaScript, Sixth Edition

WHAT'S THE DIFFERENCE BETWEEN A WEB APPLICATION STREAMING NETWORK AND A CDN? INSTART LOGIC.

 Using Touchloggers To Build User Profiles Through Machine Learning Craig Dezangle.

JavaScript 사용현황 김민철. Table of contents  1. Mobile  WAC  PhoneGap  AppsPresso  2. TV  Samsung Smart TV  KT IPTV  3. 기타  node.js 2.

INTRODUCING HYBRID APP KAU with MICT PARK IT COMPANIES Supported by KOICA

Best Web Technologies for

Under the guidance of Mr. P. THIRUGNANAM, M.Tech, Senior Assistant Professor. S.RAJALAKSHMI DEPARTMENT OF CSE. IFET College of Engineering, VillupuramTamilnadu.

 Learn the mechanics of using App Inventor to build apps.  Learn how to design an app’s user interface with the App Inventor Designer, and its behavior.

CHAPTER 8 Sensors and Camera. Chapter objectives: Understand Motion Sensors, Environmental Sensors and Positional Sensors Learn how to acquire measurement.

PhoneGap Cross-Platform Development Company India

What mobile ads know about mobile users

When CSI Meets Public WiFi: Inferring Your Mobile Phone Password via WiFi Signals Warren Yeu When CSI Meets Public Wifi.

Access Problems and Solutions for Full-text Articles or E-books

Stealing PINs via mobile sensors

Browsers and Web Platforms

My Tiny Ping-Pong Helper

Mobile Navigation Control for Planetary Web Portals Team Members: John Calilung, Miguel Martinez, Frank Navarrete, Kevin Parton, Max Ru, Catherine Suh.

Process of Converting “PSD to HTML”

Are these Ads Safe: Detecting Hidden A4acks through Mobile App-Web Interfaces Vaibhav Rastogi, Rui Shao, Yan Chen, Xiang Pan, Shihong Zou, and Ryan Riley.

Mobile Sensor-Based Biometrics Using Common Daily Activities

Access Problems and Solutions for Full-text Articles or E-books

Presentation transcript:

TOUCHSIGNATURES Maryam Mehrnezhad, Ehsan Toreini, Siamak F. Shahandashti, Feng Hao Newcastle University CryptoForma meeting, Belfast 4 May 2015

The Attack Identification of User Touch Actions Based on Mobile Sensor Data via JavaScript Accepted in ASIACCS’15 Touch ActionDescription ClickTouching an item momentarily with one finger Scroll (Up, Down, Right, Left)Touching continuously and simultaneously sliding in the corresponding direction Zoom (In, Out)Placing 2 fingers on the screen and sliding them apart or toward each other, respectively HoldTouching continuously for a while with one finger

HTML 5 HTML5 is moving toward handling system functionalities: Ideas such as B2G(boot2gecko) by Mozilla Having that in mind, it is not surprising that HTML5 can get mobile sensor related data

HTML 5 Currently, mobile web applications have access to the following sensors: Geolocation Multimedia (video, camera, microphone, webcams) Ambient light motion and orientation

HTML 5 According to W3C specifications, modern web browsers allow JavaScript code to access motion and orientation sensor data.

Core IDEA This project targets this question: What are the possible privacy leakages? Is it possible to recognize user actions using the sensor data acquired by JavaScript? Neither iOS nor Android ask permission to access these sensors via browsers Accessing sensor data within mobile apps has already been studied Different security or privacy attacks in the literature

Some Challenges The mobile in-browser sensor data access is only restricted to two streams: Orientation: supplies the physical orientation of the device Device motion: acceleration of the device In-browser access is limited in contrast to raw sensor data access in normal applications: processed data Low rate streams with frequencies around 5 to 10 times slower than in-app data

Privacy Breaches Unlike other sensor accesses, no authorization from the user to access orientation and acceleration data. This could possibly leak information such as: User Physical Movements (walking, running, sitting) Some User Interactions with the device that has specific patterns (such as answering calls, Taking Photos) User Touch Actions

Touch Actions Identification of touch actions may reveal a range of activities about the user’s interaction with other webpages. E.g. users tend to mostly scroll on a news website while trying mostly to type when using an client.

TouchSignature Our system is able to distinguish user touch actions given access to the device motion and orientation sensor data Attack Model: a malicious web content spying on a user via JavaScript. The content is loaded via an iframe embedded in the webpage. Browser is actively, or passively in the background User has access to the Internet

Some Technical Details According to W3C, HTML5 and JavaScript provide access to the following sensor data: Device Orientation: Three rotations, alpha, beta and gamma Device Acceleration: Cartesian coordinates: x,y and z Device Acceleration including Gravity Device Rotation Rate: three rotations alpha, beta and gamma Interval: rate of sensor reading in milliseconds We have developed Touchsignatures: server side as Node.js and mongodB. Client Side JavaScript library called socket.io to send live sensor data streams Use of supervised Machine Learning techniques to analyse data

Experiments

Touch ActionDescription ClickTouching an item momentarily with one finger Scroll (Up, Down, Right, Left)Touching continuously and simultaneously sliding in the corresponding direction Zoom (In, Out)Placing 2 fingers on the screen and sliding them apart or toward each other, respectively HoldTouching continuously for a while with one finger

Experiments We collected data from 11 volunteers We presented each user a brief introduction and instructions to perform 8 touch actions Experiments were performed on google Chrome in iPhone 5. We asked each user to perform each action 5 times Two types of mobile holding were measured: two handed and one handed At the end, we had 10 samples of each touch action for 11 people.

Feature Extraction Time Domain Features: Raw Captured Sequence First order derivative of each sequence maximum, minimum and mean of each sequence and its derivative. Total Energy or each sequence and its derivative And some more features, totally 116 features for each touch Frequency Domain: FFT of the sequences Maximum, Minimum, mean and energy of each sequence. Totally 48 features In General, 164 features for each sequence.

Classification Process We implemented different classification algorithms: Artificial Neural Networks (ANN) K-Nearest neighbour (k- NN) Decision Tree We used 10 fold cross validation approach 1-NN showed the best performance

Phase 1 classification Touch ActionIdentification Rate Click78.18% Hold88.18% Scroll95.91% Zoom In71.82% Zoom Out76.36% Overall87.39%

Phase 2 Classification Touch ActionIdentification Rate Scroll Down57.27% Scroll Up69.09% Scroll Right48.18% Scroll Left71.82% Overall61.59%

Contribution of Different Sensor Data Streams Orientation has got the best impact in the final results. The rest of the sensor data combined only effects 3.64%

Browser Support Device/mOS/Browser ActiveBackgroundLocked Determines the Device/Mobile OS/ Browser Name Status: When the browser is running actively and interacting with the user Status: When the browser is not active, but running in background Status: When browser is not active and the device screen is locked.

Browser Support Device/mOS/Browser ActiveBackgroundLocked SameIntraOther SameOtherSameOther When the webpage visited is manipulated

Comparisons of the Popular Browser Sensor Accessibility in Android/iOS

Possible Solutions Notify users within browserOperating System Settings

Future? Is it possible to recognize the keys has been pressed by using this low rate data? Other privacy breaches? Open to any other suggestions…

Conclusion First to perform a practical privacy attack by Sensor data using JavaScript User Actions could be recognized by using this sensor data, even if it is processed and provided in low rates. This shows a major shortcoming in mobile operating systems and browser access control policies with respect to user privacy. We suggest to apply the same approach as GPS access by providing effective user notification and control mechanism

THANKS!