A Large-scale Study on the Risks of the HTML5 WebAPI for Mobile Sensor-based Attacks [Paper] [BibTex]

(Original publication - WWW '19)

Francesco Marcantoni†, Michalis Diamantaris*, Sotiris Ioannidis*, Jason Polakis†.

The Seven Deadly Sins of the HTML5 WebAPI: A Large-scale Study on the Risks of Mobile Sensor-based Attacks [Paper] [BibTex]

(Extended version - TOPS '20)

Michalis Diamantaris*, Francesco Marcantoni†, Sotiris Ioannidis*, Jason Polakis†.


Smartphone sensors can be leveraged by malicious apps for a plethora of different attacks, which can also be deployed by malicious websites through the HTML5 WebAPI. In this paper we provide a comprehensive evaluation of the multifaceted threat that mobile web browsing poses to users, by conducting a large-scale study of mobile-specific HTML5 WebAPI calls used in the wild. We build a novel testing infrastructure consisting of actual smartphones on top of a dynamic Android app analysis framework, allowing us to conduct an end-to-end exploration. Our study reveals the extent to which websites are actively leveraging the WebAPI for collecting sensor data, with 2.89% websites accessing at least one mobile sensor. To provide a comprehensive assessment of the potential risks of this emerging practice, we create a taxonomy of sensor-based attacks from prior studies, and present an in-depth analysis by framing our collected data within that taxonomy. We find that 1.63% of websites could carry out at least one of those attacks. Our findings emphasize the need for a standardized policy across browsers and the ability for users to control what sensor data each website can access.


@inproceedings {mobileWebAPIAttacks2019,
	author = {Francesco Marcantoni and Michalis Diamantaris and Sotiris Ioannidis and Jason Polakis},
	title = {A Large-scale Study on the Risks of the HTML5 WebAPI for Mobile Sensor-based Attacks},
	booktitle = {30th International World Wide Web Conference, WWW '19},
	year = {2019},
	publisher = {ACM} }

	author = {Diamantaris, Michalis and Marcantoni, Francesco and Ioannidis, Sotiris and Polakis, Jason},
	title = {The Seven Deadly Sins of the HTML5 WebAPI: A Large-Scale Study on the Risks of Mobile Sensor-Based Attacks},
	year = {2020},
	issue_date = {July 2020},
	publisher = {Association for Computing Machinery},
	address = {New York, NY, USA},
	volume = {23},
	number = {4},
	issn = {2471-2566},
	url = {},
	doi = {10.1145/3403947},
	journal = {ACM Trans. Priv. Secur.},
	month = jul,
	articleno = {19},
	numpages = {31},
	keywords = {sensor attack taxonomy, mobile sensors, browser guidelines, mobile HTML5, WebAPI, Android}

Download data

You can dowload our data here.


In case you have questions about this project, contact Michalis Diamantaris.