Mobile device fingerprinting considered harmful for risk-based authentication

Spooren, Jan; Preuveneers, Davy; Joosen, Wouter

doi:10.1145/2751323.2751329

Cited by 40 publications

(44 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Ope-nAM offers device fingerprinting and matching capabilities using client-side and server-side JavaScript technology. As shown in our previous work [26], the built-in fingerprinting code is not well suited for mobile devices. In this work, we adapted the JavaScript code to call our service to process battery data.…”

Section: Mobile Information Systemsmentioning

confidence: 92%

Leveraging Battery Usage from Mobile Devices for Active Authentication

Spooren¹,

Preuveneers²,

Joosen³

2017

Mobile Information Systems

Self Cite

View full text Add to dashboard Cite

Active authentication is the practice of continuously verifying the identity of users, based on their context, interactions with a system, and information provided by that system. In this paper, we investigate if battery charge readings from mobile devices can be used as an extra factor to improve active authentication. We make use of a large data set of battery charge readings from real users and construct two computationally inexpensive machine learning classifiers to predict if a user session is authentic: the first one only based on the battery charge at a certain time of day; the second one predicts the authenticity of the user session when a previous, recent battery charge reading is available. Our research shows that a simple two-figure battery charge value can make a useful albeit minor contribution to active authentication.

show abstract

Section: Mobile Information Systemsmentioning

confidence: 92%

Leveraging Battery Usage from Mobile Devices for Active Authentication

Spooren¹,

Preuveneers²,

Joosen³

2017

Mobile Information Systems

Self Cite

View full text Add to dashboard Cite

show abstract

“…However, Apple ceased the use of UDID since iOS 6 [4] and for Android accessing IMEI requires explicit user permission [3]. Moreover, due to constrained hardware and software environments, existing methods often lack in precision for smartphones, as shown by recent studies [22,36]. However, Laperdrix et al have shown that it is in fact possible to fingerprint smartphones effectively through the user-agent string which is becoming richer every day due to the numerous vendors deploying different firmware versions [25].…”

Section: Browser Fingerprintingmentioning

confidence: 99%

“…In turn, advertisers have started using browser fingerprinting [9,19,29] to track users across the web without the use of cookies. As the battleground shifts to mobile platforms, which are quickly becoming the dominant mode for web browsing [1,5,6,8], existing fingerprinting techniques become less effective [22,36]; at the same time, new threats emerge: mobile browsers give web pages access to internal motion sensors (accelerometers and gyroscopes) and researchers have showed that imperfections in these sensors can be used to fingerprint smartphones [16,18,22], boosting the accuracy of a weakened browser fingerprint.…”

Section: Introductionmentioning

confidence: 99%

Every Move You Make: Exploring Practical Issues in Smartphone Motion Sensor Fingerprinting and Countermeasures

Das

Borisov

Chou

2018

Proceedings on Privacy Enhancing Technologies

View full text Add to dashboard Cite

Abstract:The ability to track users' activities across different websites and visits is a key tool in advertising and surveillance. The HTML5 DeviceMotion interface creates a new opportunity for such tracking via fingerprinting of smartphone motion sensors. We study the feasibility of carrying out such fingerprinting under real-world constraints and on a large scale. In particular, we collect measurements from several hundred users under realistic scenarios and show that the state-of-the-art techniques provide very low accuracy in these settings. We then improve fingerprinting accuracy by changing the classifier as well as incorporating auxiliary information. We also show how to perform fingerprinting in an open-world scenario where one must distinguish between known and previously unseen users. We next consider the problem of developing fingerprinting countermeasures; we evaluate the usability of a previously proposed obfuscation technique and a newly developed quantization technique via a large-scale user study. We find that both techniques are able to drastically reduce fingerprinting accuracy without significantly impacting the utility of the sensors in web applications.

show abstract

“…In the current version, the detection is based user entered detection rules. A future avenue for development would be to use the Fingerbank database [26], accessible at http://www.fingerbank.org, or similar. This is a device database with MAC address and User-Agent device detection.…”

Section: Future Workmentioning

confidence: 99%

Enabling Non-Expert Analysis OF Large Volumes OF Intercepted Network Traffic

Wiel¹,

Scanlon

Le-Khac

2018

Advances in Digital Forensics XIV

View full text Add to dashboard Cite

In criminal investigations, telecommunication wiretaps have become a common technique used by law enforcement. While phone-based wiretapping is well documented and the procedure for their execution are well known, the same cannot be said for Internet taps. Lawfully intercepted network traffic often contains a lot of encrypted traffic making it increasingly difficult to find useful information inside the traffic captured. The advent of Internet-of-Things further complicates the process for non-technical investigators. The current level of complexity of intercepted network traffic is close to a point where data cannot be analysed without supervision of a digital investigator with advanced network knowledge. Current investigations focus on analysing all traffic in a chronological manner and are predominately conducted on the data contents of the intercepted traffic. This approach often becomes overly arduous when the amount of data to be analysed becomes very large. In this paper, we propose a novel approach to analyse large amounts of intercepted network traffic based on network metadata. Our approach significantly reduces the duration of the analysis and also produces an insight view of analysing results for the non-technical investigator. We also test our approach with a large sample of network traffic data.

show abstract

Mobile device fingerprinting considered harmful for risk-based authentication

Cited by 40 publications

References 17 publications

Leveraging Battery Usage from Mobile Devices for Active Authentication

Leveraging Battery Usage from Mobile Devices for Active Authentication

Every Move You Make: Exploring Practical Issues in Smartphone Motion Sensor Fingerprinting and Countermeasures

Enabling Non-Expert Analysis OF Large Volumes OF Intercepted Network Traffic

Contact Info

Product

Resources

About