Inferring UI States of Mobile Applications Through Power Side Channel Exploitation

  • Yao GuoEmail author
  • Junming Ma
  • Wenjun Wu
  • Xiangqun Chen
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 254)


The UI (user interface) state of a mobile application is important for attackers since it exposes what is happening inside an application. Attackers could initiate attacks timely according to this information, for example inserting fake GUIs or taking screenshots of GUIs involving user’s sensitive data. This paper proposes PoWatt, a method to infer the timing of sensitive UI occurrences by exploiting power side channels on mobile devices such as smartphones. Based on power traces collected and power patterns learned in advance, PoWatt applies a pattern matching algorithm to detect target UI occurrences within a series of continuous power traces. Experiment results on popular Android apps show that PoWatt can detect sensitive UI loading with an average precision of 71% (up to 98%) and an average recall rate of 70% (up to 88%) during offline detection. In real-time experiments for online detection, PoWatt can still detect sensitive UIs with a reasonable precision and recall, which can be successfully exploited by real-world attacks such as screenshot-based password stealing. Finally, we discuss the limitations of PoWatt and possible mitigation techniques.


Side channels Power traces Power side channels UI inference Smartphones 



This work was partly supported by the National Natural Science Foundation of China (No. 61772042).


  1. 1.
    Brier, E., Clavier, C., Olivier, F.: Correlation power analysis with a leakage model. In: Joye, M., Quisquater, J.-J. (eds.) CHES 2004. LNCS, vol. 3156, pp. 16–29. Springer, Heidelberg (2004). Scholar
  2. 2.
    Chen, Q.A., Qian, Z., Mao, Z.M.: Peeking into your app without actually seeing it: UI state inference and novel android attacks. In: Proceedings of the 23rd USENIX Conference on Security Symposium, pp. 1037–1052 (2014)Google Scholar
  3. 3.
    Chen, S., Meseguer, J., Sasse, R., Wang, H.J., Wang, Y.-M.: A systematic approach to uncover security flaws in GUI logic. In: IEEE Symposium on Security and Privacy, S&P 2007, pp. 71–85. IEEE (2007)Google Scholar
  4. 4.
    Chen, S., Wang, R., Wang, X., Zhang, K.: Side-channel leaks in web applications: a reality today, a challenge tomorrow. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, pp. 191–206 (2010)Google Scholar
  5. 5.
    Dong, M., Zhong, L.: Power modeling and optimization for OLED displays. IEEE Trans. Mob. Comput. 11(9), 1587–1599 (2012)CrossRefGoogle Scholar
  6. 6.
    Fischer, T., Sadeghi, A., Winandy, M.: A pattern for secure graphical user interface systems. In: The 20th International Workshop on Database and Expert Systems Application, DEXA 2009, pp. 186–190, August 2009Google Scholar
  7. 7.
    Kocher, P., Jaffe, J., Jun, B.: Introduction to differential power analysis and related attacks (1998).
  8. 8.
    Kocher, P., Jaffe, J., Jun, B.: Differential power analysis. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 388–397. Springer, Heidelberg (1999). Scholar
  9. 9.
    Li, D., Tran, A.H., Halfond, W.G.J.: Making web applications more energy efficient for OLED smartphones. In: Proceedings of the 36th International Conference on Software Engineering, ICSE 2014, pp. 527–538. ACM (2014)Google Scholar
  10. 10.
    Li, Y., Yang, Z., Guo, Y., Chen, X.: Droidbot: a lightweight UI-guided test input generator for android. In: Proceedings of the 39th International Conference on Software Engineering Companion, ICSE-C 2017, pp. 23–26 (2017)Google Scholar
  11. 11.
    Lin, C.-C., Li, H., Zhou, X., Wang, X.: Screenmilker: how to milk your android screen for secrets. In: Proceedings of The 21th Annual Network and Distributed System Security Symposium (NDSS) (2014)Google Scholar
  12. 12.
    Mangard, S., Oswald, E., Popp, T.: Power Analysis Attacks: Revealing the Secrets of Smart Cards, vol. 31. Springer, Heidelberg (2008)zbMATHGoogle Scholar
  13. 13.
    Messerges, T.S., Dabbish, E.A., Sloan, R.H.: Power analysis attacks of modular exponentiation in smartcards. In: Koç, Ç.K., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 144–157. Springer, Heidelberg (1999). Scholar
  14. 14.
    Messerges, T.S., Dabbish, E.A., Sloan, R.H.: Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput. 51(5), 541–552 (2002)MathSciNetCrossRefGoogle Scholar
  15. 15.
    Michalevsky, Y., Nakibly, G., Schulman, A., Boneh, D.: PowerSpy: location tracking using mobile device power analysis. In: 24th USENIX Security Symposium (USENIX Security 15), Washington, D.C., August 2015Google Scholar
  16. 16.
    Qian, Z., Mao, Z.M., Xie, Y.: Collaborative TCP sequence number inference attack: how to crack sequence number under a second. In: ACM Conference on Computer and Communications Security, CCS 2012, pp. 593–604 (2012)Google Scholar
  17. 17.
    Shapiro, J.S., Vanderburgh, J., Northup, E., Chizmadia, D.: Design of the EROS trusted window system. In: Proceedings of the 13th Conference on USENIX Security Symposium, vol. 13, p. 12 (2004)Google Scholar
  18. 18.
    Wray, J.C.: An analysis of covert timing channels. In: Proceedings of 1991 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 2–7 (1991)Google Scholar
  19. 19.
    Yan, L., Guo, Y., Chen, X., Mei, H.: A study on power side channels on mobile devices. In: Proceedings of the Seventh Asia-Pacific Symposium on Internetware (Internetware 2015) (2015)Google Scholar
  20. 20.
    Yoon, C., Kim, D., Jung, W., Kang, C., Cha, H.: AppScope: application energy metering framework for Android smartphone using kernel activity monitoring. In: USENIX Annual Technical Conference, pp. 387–400 (2012)Google Scholar
  21. 21.
    Zhang, D., Askarov, A., Myers, A.C.: Predictive mitigation of timing channels in interactive systems. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 563–574. ACM (2011)Google Scholar
  22. 22.
    Zhuang, L., Zhou, F., Tygar, J.D.: Keyboard acoustic emanations revisited. ACM Trans. Inf. Syst. Secur. 13(1), 3:1–3:26 (2009)CrossRefGoogle Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018

Authors and Affiliations

  1. 1.Key Laboratory of High-Confidence Software Technologies (Ministry of Education), School of EECSPeking UniversityBeijingChina

Personalised recommendations