TouchSignatures: Identification of user touch actions and PINs based on mobile sensor data via JavaScript

How much do you trust your browser when you are surfing the internet on a mobile phone  using Safari, Chrome, Opera or Firefox? Perhaps, you feel secure as long as you do not download suspicious files, or enter your secret passwords onto unknown websites. You may feel even more secure by closing the browser and locking the phone.

However, our recent research (published in the Journal of Information Security and Applications) shows that there is a significant deficiency in the current W3C specifications, which affects the security of all major mobile browsers including Safari, Chrome, Opera and Firefox. The current W3C specification allows embedded JavaScript code in a web page to access the motion and orientation sensors on a mobile phone without requiring any user permission. This makes it possible for a remote website to learn sensitive user information such as phone call timing, physical activities, touch actions on the screen, and even the PINs, by collecting and analysing the sensor data.

We studied the implementation of W3C in all major mobile browsers. Our study confirms that embedded JavaScript code can compromise user sensitive information by listening to the side channel data provided by the motion and orientation sensors without any user permission, through an inactive tab, iframe, or minimised browser (even when the screen of the mobile phone is locked). Below you can see a list of affected browsers on iOS and Android.

1

To show the feasibility of the attack, we present TouchSignatures which implements an attack where malicious JavaScript code on an attack tab listens to such sensor data measurements. Based on these streams and by using advanced machine learning methods, TouchSignatures is able to distinguish the user’s touch actions (i.e., tap, scroll, hold, and zoom) and her PINs, allowing a remote website to learn the client-side user activities. We demonstrate the practicality of this attack by collecting data from real users and reporting high success rates, up to 70% identification of digits (PIN) in Android and 56% in iOS. For more details, we refer the reader to our paper.

This problem has been largely neglected in the past as the sensor stream available to JavaScript has been restricted to low rates (3-5 times lower than those available to app). The common perception within the W3C community and the browser industry is that such a low rate should not expose risks to information leakage. However, our work suggests this perception is incorrect. There are serious security risks imposed by the JavaScript’s unrestricted access to the sensor data even at a low rate.

We reported the results of this research to the W3C community and mobile browser vendors including Mozilla, Opera, Chromium and Apple. We are grateful to their quick and constructive feedback, which is summarized below:

  • W3C: “This would be an issue to address for any future iterations on this [W3C] document”.
  • Mozilla: “Indeed, and it should be fixed consistently across all the browsers and also the spec [W3C specification] needs to be fixed.”
  • Chrome: “It [i.e. this research] sounds like a good reason to restrict it [i.e. sensor reading] from iframes”.
  • Opera: “Opera on iOS giving background tabs access to the events does seem like an unwanted bug”.
  • Safari: “We have reviewed your paper and are working on the mitigations listed in the paper.”

An earlier version of the paper was presented in AsiaCCS’15 and a journal version is published in JISA (Elsevier). Please feel free to leave comment or contact me (m.mehrnezhad@ncl.ac.uk) if you have any questions about this research project.