TY - GEN
T1 - WebLogger: Stealing your personal PINs via mobile web application
AU - Song, Rui
AU - Song, Yubo
AU - Dong, Qihong
AU - Hu, Aiqun
AU - Gao, Shang
N1 - Funding Information:
VIII. ACKNOWLEDGMENTS This work was supported by the Fundamen tal Research Funds for the Central Universities(NO.2242017K40013).
Publisher Copyright:
© 2017 IEEE.
PY - 2017/12/7
Y1 - 2017/12/7
N2 - In recent years, various sensors have been integrated into smartphones to sense the slight motions of human body. However, security researchers found that these sensors can not only be used in motion detection, but also as side-channel to reveal users' privacy data by inferring keystrokes. What is worse, as defined in W3C specifications, the mobile web applications can get these sensor readings silently without permissions from users. Therefore, when cross-site scripting vulnerabilities are found in a mobile web application, attackers can get users' privacy data remotely via these sensors in theory. However, these attacks are difficult to achieve by the fact that mobile web applications can only get sensor readings with low sampling rate in practical uses. In this paper, we proposed a novel ensemble learning algorithm based on weighted voting to improve the keystroke inferring accuracy in low sensors sampling rate. Based on this novel learning algorithm, a prototype system named WebLogger is developed to demonstrate the possibility of inferring the PIN numbers or passwords entered by mobile phone users from mobile web application silently. The results of experiments show that the prediction accuracy of our learning model can be improved to 70%, which is better than 50% in single machine learning algorithms.
AB - In recent years, various sensors have been integrated into smartphones to sense the slight motions of human body. However, security researchers found that these sensors can not only be used in motion detection, but also as side-channel to reveal users' privacy data by inferring keystrokes. What is worse, as defined in W3C specifications, the mobile web applications can get these sensor readings silently without permissions from users. Therefore, when cross-site scripting vulnerabilities are found in a mobile web application, attackers can get users' privacy data remotely via these sensors in theory. However, these attacks are difficult to achieve by the fact that mobile web applications can only get sensor readings with low sampling rate in practical uses. In this paper, we proposed a novel ensemble learning algorithm based on weighted voting to improve the keystroke inferring accuracy in low sensors sampling rate. Based on this novel learning algorithm, a prototype system named WebLogger is developed to demonstrate the possibility of inferring the PIN numbers or passwords entered by mobile phone users from mobile web application silently. The results of experiments show that the prediction accuracy of our learning model can be improved to 70%, which is better than 50% in single machine learning algorithms.
UR - http://www.scopus.com/inward/record.url?scp=85046395371&partnerID=8YFLogxK
U2 - 10.1109/WCSP.2017.8171036
DO - 10.1109/WCSP.2017.8171036
M3 - Conference article published in proceeding or book
AN - SCOPUS:85046395371
T3 - 2017 9th International Conference on Wireless Communications and Signal Processing, WCSP 2017 - Proceedings
SP - 1
EP - 6
BT - 2017 9th International Conference on Wireless Communications and Signal Processing, WCSP 2017 - Proceedings
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 9th International Conference on Wireless Communications and Signal Processing, WCSP 2017
Y2 - 11 October 2017 through 13 October 2017
ER -