Francesco Marcantoni†, Michalis Diamantaris*, Sotiris Ioannidis*, Jason Polakis†.
*FORTH, Greece | †University of Illinois at ChicagoMichalis Diamantaris*, Francesco Marcantoni†, Sotiris Ioannidis*, Jason Polakis†.
*FORTH, Greece | †University of Illinois at ChicagoSmartphone sensors can be leveraged by malicious apps for a plethora of different attacks, which can also be deployed by malicious websites through the HTML5 WebAPI. In this paper we provide a comprehensive evaluation of the multifaceted threat that mobile web browsing poses to users, by conducting a large-scale study of mobile-specific HTML5 WebAPI calls used in the wild. We build a novel testing infrastructure consisting of actual smartphones on top of a dynamic Android app analysis framework, allowing us to conduct an end-to-end exploration. Our study reveals the extent to which websites are actively leveraging the WebAPI for collecting sensor data, with 2.89% websites accessing at least one mobile sensor. To provide a comprehensive assessment of the potential risks of this emerging practice, we create a taxonomy of sensor-based attacks from prior studies, and present an in-depth analysis by framing our collected data within that taxonomy. We find that 1.63% of websites could carry out at least one of those attacks. Our findings emphasize the need for a standardized policy across browsers and the ability for users to control what sensor data each website can access.
@inproceedings {mobileWebAPIAttacks2019,
author = {Francesco Marcantoni and Michalis Diamantaris and Sotiris Ioannidis and Jason Polakis},
title = {A Large-scale Study on the Risks of the HTML5 WebAPI for Mobile Sensor-based Attacks},
booktitle = {30th International World Wide Web Conference, WWW '19},
year = {2019},
publisher = {ACM} }
@article{HTML5WebAPISevenDeadlySins,
author = {Diamantaris, Michalis and Marcantoni, Francesco and Ioannidis, Sotiris and Polakis, Jason},
title = {The Seven Deadly Sins of the HTML5 WebAPI: A Large-Scale Study on the Risks of Mobile Sensor-Based Attacks},
year = {2020},
issue_date = {July 2020},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
volume = {23},
number = {4},
issn = {2471-2566},
url = {https://doi.org/10.1145/3403947},
doi = {10.1145/3403947},
journal = {ACM Trans. Priv. Secur.},
month = jul,
articleno = {19},
numpages = {31},
keywords = {sensor attack taxonomy, mobile sensors, browser guidelines, mobile HTML5, WebAPI, Android}
}
You can dowload our data here.
In case you have questions about this project, contact Michalis Diamantaris.