Journal:What is this sensor and does this app need access to it?

From LIMSWiki
Revision as of 20:11, 25 November 2019 by Shawndouglas (talk | contribs) (Saving and adding more.)
Jump to navigationJump to search
Full article title What is this sensor and does this app need access to it?
Journal Informatics
Author(s) Mehrnezhad, Maaryam; Toreini, Ehsan
Author affiliation(s) Newcastle University
Primary contact Email: maryam dot mehrnezhad at ncl dot ac dot uk
Year published 2019
Volume and issue 6(1)
Page(s) 7
DOI 10.3390/informatics6010007
ISSN 2227-9709
Distribution license Creative Commons Attribution 4.0 International
Website https://www.mdpi.com/2227-9709/6/1/7/htm
Download https://www.mdpi.com/2227-9709/6/1/7/pdf (PDF)
Emblem-important-yellow.svg This article should be considered a work in progress and incomplete. Consider this article incomplete until this notice is removed.

Abstract

Mobile sensors have already proven to be helpful in different aspects of people’s everyday lives such as fitness, gaming, navigation, etc. However, illegitimate access to these sensors results in a malicious program running with an exploit path. While users are benefiting from richer and more personalized apps, the growing number of sensors introduces new security and privacy risks to end-users and makes the task of sensor management more complex. In this paper, we first discuss the issues around the security and privacy of mobile sensors. We investigate the available sensors on mainstream mobile devices and study the permission policies that Android, iOS and mobile web browsers offer for them. Second, we reflect on the results of two workshops that we organized on mobile sensor security. In these workshops, the participants were introduced to mobile sensors by working with sensor-enabled apps. We evaluated the risk levels perceived by the participants for these sensors after they understood the functionalities of these sensors. The results showed that knowing sensors by working with sensor-enabled apps would not immediately improve the users’ security inference of the actual risks of these sensors. However, other factors such as the prior general knowledge about these sensors and their risks had a strong impact on the users’ perception. We also taught the participants about the ways that they could audit their apps and their permissions. Our findings showed that when mobile users were provided with reasonable choices and intuitive teaching, they could easily self-direct themselves to improve their security and privacy. Finally, we provide recommendations for educators, app developers, and mobile users to contribute toward awareness and education on this topic.

Keywords: mobile sensors, IoT sensors, sensor security, security education, app permission, mobile security awareness, user privacy, user security, sensor attacks

Introduction

According to The Economist[1], smartphones have become the fastest-selling gadgets in history, outselling personal computers (PCs) four to one. Today, about half the adult population owns a smartphone; by 2020, 80% will. Mobile and smart device vendors are increasingly augmenting their products with various types of sensors such as the Hall sensor, accelerometer, NFC (near-field communication) sensor, heart rate sensor, and iris scanner, which are connected to each other through the internet of things (IoT). We have observed that approximately 10 new sensors have been augmented or became popular in mainstream mobile devices in less than two years, bringing the number of mobile sensors to more than 30 sensors. Examples include FaceID, Active edge, depth cameras (using infrared), thermal cameras, air sensors, laser sensors, haptic sensors, iris scanners, heart rate sensors, and body sensors.

Sensors are added to mobile and other devices to make them smart: to sense the surrounding environment and infer aspects of the context of use, and thus to facilitate more meaningful interactions with the user. Many of these sensors are used in popular mobile apps such as fitness trackers and games. Mobile sensors have also been proposed for security purposes, e.g., authentication[2][3], authorization[4], device pairing[5], and secure contactless payment.[6] However, malicious access to sensor streams results in an installed app running in the background with an exploit path. Researchers have shown that user PINs and passwords can be disclosed through sensors such as the camera and microphone[7], the ambient light sensor[8], and the gyroscope.[9] Sensors such as NFC can also be misused to attack financial payments.[10]


References

  1. "Planet of the Phones". The Economist. The Economist Newspaper Limited. 26 February 2015. https://www.economist.com/leaders/2015/02/26/planet-of-the-phones. Retrieved 30 November 2018. 
  2. De Luca, A.; Hang, A.; Brudy, F. et al. (2012). "Touch me once and i know it's you!: Implicit authentication based on touch screen patterns". Proceedings of the 2012 SIGCHI Conference on Human Factors in Computing Systems: 987–96. doi:10.1145/2207676.2208544. 
  3. Bo, C.; Zhang, L.; Li, X.-Y. et al. (2013). "SilentSense: Silent user identification via touch and movement behavioral biometrics". Proceedings of the 19th Annual International Conference on Mobile Computing & Networking: 187–90. doi:10.1145/2500423.2504572. 
  4. Li, H.; Ma, D.; Saxena, N. et al. (2013). "Tap-Wave-Rub: Lightweight malware prevention for smartphones using intuitive human gestures". Proceedings of the Sixth ACM Conference on Security and Privacy in Wireless and Mobile Networks: 25–30. doi:10.1145/2462096.2462101. 
  5. Mayrhofer, R.; Gellersen, H. (2007). "Shake Well Before Use: Authentication Based on Accelerometer Data". In LaMarca, A.; Langheinrich, M.; Truong, K.N.. Pervasive Computing - Pervasive 2007. pp. 144–61. doi:10.1007/978-3-540-72037-9_9. ISBN 9783540720379. 
  6. Mehrnezhad, M.; Hao, F.; Shahandashti, S.F. (2015). "Tap-Tap and Pay (TTP): Preventing the Mafia Attack in NFC Payment". In Chen, L.; Matsuo, S.. Security Standardisation Research - SSR 2015. pp. 21–39. doi:10.1007/978-3-319-27152-1_2. ISBN 9783319271521. 
  7. Simon, L.; Anderson, R. (2013). "PIN skimmer: Inferring PINs through the camera and microphone". Proceedings of the Third ACM workshop on Security and Privacy in Smartphones & Mobile Devices: 67–78. doi:10.1145/2516760.2516770. 
  8. Spreitzer, R. (2014). "PIN Skimming: Exploiting the Ambient-Light Sensor in Mobile Devices". Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones & Mobile Devices: 51–62. doi:10.1145/2666620.2666622. 
  9. Xu, Z.; Bai, K.; Zhu, S. (2012). "TapLogger: Inferring user inputs on smartphone touchscreens using on-board motion sensors". Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks: 113–24. doi:10.1145/2185448.2185465. 
  10. Mehrnezhad, M.; Ali, M.A.; Hao, F. et al. (2016). "NFC Payment Spy: A Privacy Attack on Contactless Payments". In Chen, L.; Matsuo, S.. Security Standardisation Research - SSR 2016. pp. Article 4. doi:10.1007/978-3-319-49100-4_4. ISBN 9783319491004. 

Notes

This presentation is faithful to the original, with only a few minor changes to presentation. Grammar was cleaned up for smoother reading. In some cases important information was missing from the references, and that information was added.

Retrieved from "https://www.limswiki.org/index.php?title=Journal:What_is_this_sensor_and_does_this_app_need_access_to_it%3F&oldid=36919"