Abstract
The vast adoption of mobile devices in our everyday lives, apart from facilitating us through their various enhanced capabilities, has also raised serious privacy concerns. While mobile devices are equipped with numerous sensors which offer context-awareness to their installed apps, they can be also exploited to reveal sensitive information when correlated with other data or sources. Companies have introduced a plethora of privacy invasive methods to harvest user’s personal data for profiling and monetizing purposes. Nonetheless, up to now, these methods were constrained by the environment they operate, e.g. browser vs mobile app, and since only a handful of businesses could have access to both of these environments, the conceivable risks can be calculated and the involved enterprises can be somehow monitored and regulated. This work introduces some novel user deanonymisation approaches for device fingerprinting in Android. Having Android AOSP as our baseline, we prove that web pages, by using several inherent mechanisms, can cooperate with installed mobile apps to identify which sessions operate in specific devices and consequently to further expose users’ privacy.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Android developers: getting the last known location (2017). https://developer.android.com/training/location/retrieve-current.html
Arp, D., Quiring, E., Wressnegger, C., Rieck, K.: Privacy threats through ultrasonic side channels on mobile devices. In: 2nd IEEE European Symposium on Security and Privacy (EuroS&P) (2017)
Beltran, V., Bertin, E., Crespi, N.: User identity for webrtc services: a matter of trust. IEEE Internet Comput. 18(6), 18–25 (2014)
Bergkvist, A., Burnett, D.C., Jennings, C., Narayanan, A., Aboba, B.: WebRTC 1.0: real-time communication between browsers (2016). https://www.w3.org/TR/webrtc/
Blog, A.D.: Changes to device identifiers in Android O (2017). https://android-developers.googleblog.com/2017/04/changes-to-device-identifiers-in.html
Bojinov, H., Michalevsky, Y., Nakibly, G., Boneh, D.: Mobile device identification via sensor fingerprinting. arXiv preprint arXiv:1408.1416 (2014)
Cáceres, M., Jiménez Moreno, F., Grigorik, I.: Network information API (2017). http://wicg.github.io/netinfo/
Chandra, S., Lin, Z., Kundu, A., Khan, L.: Towards a systematic study of the covert channel attacks in smartphones. In: Tian, J., Jing, J., Srivatsa, M. (eds.) SecureComm 2014. LNICSSITE, vol. 152, pp. 427–435. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-23829-6_29
Dey, S., Roy, N., Xu, W., Choudhury, R.R., Nelakuditi, S.: Accelprint: imperfections of accelerometers make smartphones trackable. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2014)
Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14527-8_1
Gasior, W., Yang, L.: Exploring covert channel in Android platform. In: 2012 International Conference on Cyber Security (CyberSecurity), pp. 173–177. IEEE (2012)
Goodin, D.: Beware of ads that use inaudible sound to link your Phone, TV, Tablet, and PC (2015). http://arstechnica.com/tech-policy/2015/11/beware-of-ads-that-use-inaudible-sound-to-link-your-phone-tv-tablet-and-pc/
Grace, M.C., Zhou, W., Jiang, X., Sadeghi, A.R.: Unsafe exposure analysis of mobile in-app advertisements. In: Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, WISEC 2012, pp. 101–112. ACM (2012)
Kapravelos, A., Grier, C., Chachra, N., Kruegel, C., Vigna, G., Paxson, V.: Hulk: eliciting malicious behavior in browser extensions. In: USENIX Security, pp. 641–654 (2014)
Mowery, K., Bogenreif, D., Yilek, S., Shacham, H.: Fingerprinting information in Javascript implementations. In: Proceedings of W2SP, vol. 2, pp. 180–193 (2011)
Mowery, K., Shacham, H.: Pixel perfect: fingerprinting canvas in HTML5, pp. 1–12 (2012)
Popescu, A.: Geolocation API Specification, 2nd edn. (2016). https://www.w3.org/TR/geolocation-API/
Rushanan, M., Russell, D., Rubin, A.D.: MalloryWorker: stealthy computation and covert channels using web workers. In: Barthe, G., Markatos, E., Samarati, P. (eds.) STM 2016. LNCS, vol. 9871, pp. 196–211. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-46598-2_14
Stevens, R., Gibler, C., Crussell, J., Erickson, J., Chen, H.: Investigating user privacy in Android ad libraries. In: Proceedings of the 2012 Workshop on Mobile Security Technologies (MoST) (2012)
Zhou, Z., Diao, W., Liu, X., Zhang, K.: Acoustic fingerprinting revisited: generate stable device id stealthily with inaudible sound. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 429–440. ACM (2014)
Acknowledgments
This work was supported by the European Commission under the Horizon 2020 Programme (H2020), as part of the OPERANDO project (Grant Agreement no. 653704) and is based upon work from COST Action CRYPTACUS, supported by COST (European Cooperation in Science and Technology). The authors would like to thank ElevenPaths for their valuable feedback and providing them access to Tacyt.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Alepis, E., Patsakis, C. (2017). The All Seeing Eye: Web to App Intercommunication for Session Fingerprinting in Android. In: Wang, G., Atiquzzaman, M., Yan, Z., Choo, KK. (eds) Security, Privacy, and Anonymity in Computation, Communication, and Storage. SpaCCS 2017. Lecture Notes in Computer Science(), vol 10656. Springer, Cham. https://doi.org/10.1007/978-3-319-72389-1_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-72389-1_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-72388-4
Online ISBN: 978-3-319-72389-1
eBook Packages: Computer ScienceComputer Science (R0)