Francesco Marcantoni†, Michalis Diamantaris*, Sotiris Ioannidis*, Jason Polakis†.
*FORTH, Greece | †University of Illinois at ChicagoMichalis Diamantaris*, Francesco Marcantoni†, Sotiris Ioannidis*, Jason Polakis†.
*FORTH, Greece | †University of Illinois at ChicagoSmartphone sensors can be leveraged by malicious apps for a plethora of different attacks, which can also be deployed by malicious websites through the HTML5 WebAPI. In this paper we provide a comprehensive evaluation of the multifaceted threat that mobile web browsing poses to users, by conducting a large-scale study of mobile-specific HTML5 WebAPI calls used in the wild. We build a novel testing infrastructure consisting of actual smartphones on top of a dynamic Android app analysis framework, allowing us to conduct an end-to-end exploration. Our study reveals the extent to which websites are actively leveraging the WebAPI for collecting sensor data, with 2.89% websites accessing at least one mobile sensor. To provide a comprehensive assessment of the potential risks of this emerging practice, we create a taxonomy of sensor-based attacks from prior studies, and present an in-depth analysis by framing our collected data within that taxonomy. We find that 1.63% of websites could carry out at least one of those attacks. Our findings emphasize the need for a standardized policy across browsers and the ability for users to control what sensor data each website can access.
@inproceedings {mobileWebAPIAttacks2019, author = {Francesco Marcantoni and Michalis Diamantaris and Sotiris Ioannidis and Jason Polakis}, title = {A Large-scale Study on the Risks of the HTML5 WebAPI for Mobile Sensor-based Attacks}, booktitle = {30th International World Wide Web Conference, WWW '19}, year = {2019}, publisher = {ACM} } @article{HTML5WebAPISevenDeadlySins, author = {Diamantaris, Michalis and Marcantoni, Francesco and Ioannidis, Sotiris and Polakis, Jason}, title = {The Seven Deadly Sins of the HTML5 WebAPI: A Large-Scale Study on the Risks of Mobile Sensor-Based Attacks}, year = {2020}, issue_date = {July 2020}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, volume = {23}, number = {4}, issn = {2471-2566}, url = {https://doi.org/10.1145/3403947}, doi = {10.1145/3403947}, journal = {ACM Trans. Priv. Secur.}, month = jul, articleno = {19}, numpages = {31}, keywords = {sensor attack taxonomy, mobile sensors, browser guidelines, mobile HTML5, WebAPI, Android} }
You can dowload our data here.
In case you have questions about this project, contact Michalis Diamantaris.