A Large-scale Study on the Risks of the HTML5 WebAPI for Mobile Sensor-based Attacks [BibTex]

Francesco Marcantoni†, Michalis Diamantaris*, Sotiris Ioannidis*, Jason Polakis†.


Smartphone sensors can be leveraged by malicious apps for a plethora of different attacks, which can also be deployed by malicious websites through the HTML5 WebAPI. In this paper we provide a comprehensive evaluation of the multifaceted threat that mobile web browsing poses to users, by conducting a large-scale study of mobile-specific HTML5 WebAPI calls used in the wild. We build a novel testing infrastructure consisting of actual smartphones on top of a dynamic Android app analysis framework, allowing us to conduct an end-to-end exploration. Our study reveals the extent to which websites are actively leveraging the WebAPI for collecting sensor data, with 2.89% websites accessing at least one mobile sensor. To provide a comprehensive assessment of the potential risks of this emerging practice, we create a taxonomy of sensor-based attacks from prior studies, and present an in-depth analysis by framing our collected data within that taxonomy. We find that 1.63% of websites could carry out at least one of those attacks. Our findings emphasize the need for a standardized policy across browsers and the ability for users to control what sensor data each website can access.


@inproceedings {mobileWebAPIAttacks2019,
author = {Francesco Marcantoni and Michalis Diamantaris and Sotiris Ioannidis and Jason Polakis},
title = {A Large-scale Study on the Risks of the HTML5 WebAPI for Mobile Sensor-based Attacks},
booktitle = {30th International World Wide Web Conference, WWW '19},
year = {2019},
publisher = {ACM}

Download data

You can dowload our data here.


In case you have questions about this project, contact Michalis Diamantaris.