1. bookVolume 2018 (2018): Issue 2 (April 2018)
Journal Details
License
Format
Journal
eISSN
2299-0984
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
access type Open Access

Touch and You’re Trapp(ck)ed: Quantifying the Uniqueness of Touch Gestures for Tracking

Published Online: 20 Feb 2018
Volume & Issue: Volume 2018 (2018) - Issue 2 (April 2018)
Page range: 122 - 142
Received: 31 Aug 2017
Accepted: 16 Dec 2017
Journal Details
License
Format
Journal
eISSN
2299-0984
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
Abstract

We argue that touch-based gestures on touch-screen devices enable the threat of a form of persistent and ubiquitous tracking which we call touch-based tracking. Touch-based tracking goes beyond the tracking of virtual identities and has the potential for cross-device tracking as well as identifying multiple users using the same device. We demonstrate the likelihood of touch-based tracking by focusing on touch gestures widely used to interact with touch devices such as swipes and taps.. Our objective is to quantify and measure the information carried by touch-based gestures which may lead to tracking users. For this purpose, we develop an information theoretic method that measures the amount of information about users leaked by gestures when modelled as feature vectors. Our methodology allows us to evaluate the information leaked by individual features of gestures, samples of gestures, as well as samples of combinations of gestures. Through our purpose-built app, called TouchTrack, we gather gesture samples from 89 users, and demonstrate that touch gestures contain sufficient information to uniquely identify and track users. Our results show that writing samples (on a touch pad) can reveal 73.7% of information (when measured in bits), and left swipes can reveal up to 68.6% of information. Combining different combinations of gestures results in higher uniqueness, with the combination of keystrokes, swipes and writing revealing up to 98.5% of information about users. We further show that, through our methodology, we can correctly re-identify returning users with a success rate of more than 90%.

Keywords

[1] C. Bo, L. Zhang, X.-Y. Li, Q. Huang, and Y. Wang. SilentSense: Silent User Identification via Dynamics of Touch and Movement Behavioral Biometrics. MobiCom ’13, page 187, 2013.10.1145/2500423.2504572Search in Google Scholar

[2] H. Bojinov and Y. Michalevsky. Mobile Device Identification via Sensor Fingerprinting. arXiv preprint arXiv: . . ., 2014.Search in Google Scholar

[3] D. Chaffey. How many connected devices do consumers use today?. http://www.smartinsights.com/traffic-buildingstrategy/integrated-marketing-communications/many-connected-devices-use-today-chartoftheday/, 2016.Search in Google Scholar

[4] T. Chen, A. Chaabane, P. U. Tournoux, M.-A. Kaafar, and R. Boreli. How much is too much? leveraging ads audience estimation to evaluate public profile uniqueness. In International Symposium on Privacy Enhancing Technologies Symposium, pages 225–244. Springer, 2013.10.1007/978-3-642-39077-7_12Open DOISearch in Google Scholar

[5] M. Conti, I. Zachia-Zlatea, and B. Crispo. Mind how you answer me!: transparently authenticating the user of a smartphone when answering or placing a call. Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pages 249–259, 2011.10.1145/1966913.1966945Search in Google Scholar

[6] J. Corripio, D. González, A. Orozco, L. Villalba, J. Hernandez-Castro, and S. Gibson. Source smartphone identification using sensor pattern noise and wavelet transform. 5th International Conference on Imaging for Crime Detection and Prevention, ICDP 2013, 2013.Search in Google Scholar

[7] A. Das and N. Borisov. Poster : Fingerprinting Smartphones Through Speaker. 35th IEEE Symposium on Security and Provacy, pages 2–3, 2014.Search in Google Scholar

[8] A. Das, N. Borisov, and M. Caesar. Do You Hear What I Hear?: Fingerprinting Smart Devices Through Embedded Acoustic Components. Ccs, pages 441–452, 2014.10.1145/2660267.2660325Search in Google Scholar

[9] A. Das, N. Borisov, and M. Caesar. Tracking Mobile Web Users Through Motion Sensors : Attacks and Defenses. Ndss, (February):21–24, 2016.Search in Google Scholar

[10] C. De Boor. A practical guide to splines, volume 27 of Applied mathematical sciences. Springer-Verlag New York, 1978.10.1007/978-1-4612-6333-3Search in Google Scholar

[11] M. O. Derawi, C. Nickely, P. Bours, and C. Busch. Unobtrusive user-authentication on mobile phones using biometric gait recognition. Proceedings - 2010 6th International Conference on Intelligent Information Hiding and Multimedia Signal Processing, IIHMSP 2010, pages 306–311, 2010.10.1109/IIHMSP.2010.83Search in Google Scholar

[12] S. Dey, N. Roy, W. Xu, R. R. Choudhury, and S. Nelakuditi. AccelPrint: Imperfections of Accelerometers Make Smartphones Trackable. Network and Distributed System Security Symposium (NDSS), (February):23–26, 2014.Search in Google Scholar

[13] P. Eckersley. How Unique Is Your Browser? Proc. of the Privacy Enhancing Technologies Symposium (PETS), pages 1–18, 2010.10.1007/978-3-642-14527-8_1Search in Google Scholar

[14] M. Frank, R. Biedert, E. Ma, I. Martinovic, and D. Song. Touchalytics: On the applicability of touchscreen input as a behavioral biometric for continuous authentication. IEEE Transactions on Information Forensics and Security, 8(1):136–148, 2013.10.1109/TIFS.2012.2225048Open DOISearch in Google Scholar

[15] C. Giuffrida, K. Majdanik, M. Conti, and H. Bos. I sensed it was you: Authenticating mobile users with sensor-enhanced keystroke dynamics. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 8550 LNCS:92–111, 2014.Search in Google Scholar

[16] M. Jakobsson, E. Shi, P. Golle, and R. Chow. Implicit authentication for mobile devices. Proceedings of the 4th USENIX conference on Hot topics in security (HotSec’09), page 9, 2009.Search in Google Scholar

[17] P. Kang and S. Cho. Keystroke dynamics-based user authentication using long and free text strings from various input devices. Information Sciences, 308:72–93, 2015.10.1016/j.ins.2014.08.070Search in Google Scholar

[18] T. Kohno, A. Broido, and K. C. Claffy. Remote physical device fingerprinting. IEEE Transactions on Dependable and Secure Computing, 2(2):93–108, 2005.10.1109/TDSC.2005.26Open DOISearch in Google Scholar

[19] A. Kurtz, H. Gascon, T. Becker, K. Rieck, and F. Freiling. Fingerprinting Mobile Devices Using Personalized Configurations. Proceedings on Privacy Enhancing Technologies, 2016(1):4–19, 2016.10.1515/popets-2015-0027Search in Google Scholar

[20] P. Laperdrix, W. Rudametkin, and B. Baudry. Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints. Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016, pages 878–894, 2016.10.1109/SP.2016.57Search in Google Scholar

[21] E. Maiorana, P. Campisi, N. González-Carballo, and A. Neri. Keystroke dynamics authentication for mobile phones. Proceedings of the 2011 ACM Symposium on Applied Computing SAC 11, pages 21–26, 2011.10.1145/1982185.1982190Search in Google Scholar

[22] J. R. Mayer. Internet Anonymity in the Age of Web 2.0. A Senior Thesis presented to the Faculty of the Woodrow Wilson School of Public and International Affairs in partial fulfillment of the requirements for the degree of Bachelor of Arts., page 103, 2009.Search in Google Scholar

[23] Y. Meng, D. S. Wong, R. Schlegel, and L. F. Kwok. Touch gestures based biometric authentication scheme for touchscreen mobile phones. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 7763 LNCS:331–350, 2013.10.1007/978-3-642-38519-3_21Search in Google Scholar

[24] Ł. Olejnik, G. Acar, C. Castelluccia, and C. Diaz. The leaking battery: A privacy analysis of the HTML5 battery status API. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 9481:254–263, 2016.Search in Google Scholar

[25] Ł. Olejnik, C. Castelluccia, and A. Janc. Why Johnny Can’t Browse in Peace: On the Uniqueness of Web Browsing History Patterns. 5th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs 2012), pages 1–16, 2012.Search in Google Scholar

[26] H. Peng, F. Long, and C. Ding. Feature selection based on mutual information: Criteria of Max-Dependency, Max-Relevance, and Min-Redundancy. IEEE Transactions on Pattern Analysis and Machine Intelligence, 27(8):1226–1238, 2005.Search in Google Scholar

[27] D. Perito, C. Castelluccia, M. A. Kaafar, and P. Manils. How unique and traceable are usernames? In International Symposium on Privacy Enhancing Technologies Symposium, pages 1–17. Springer, 2011.10.1007/978-3-642-22263-4_1Search in Google Scholar

[28] N. Sae-bae, N. Memon, K. Isbister, and K. Ahmed. Multitouch Gesture-Based Authentication can the system accurately distinguish between. 9(4):568–582, 2014.10.1109/TIFS.2014.2302582Search in Google Scholar

[29] D. W. Scott. On optimal and data-based histograms. Biometrika, 66:605–610, 1979.10.1093/biomet/66.3.605Open DOISearch in Google Scholar

[30] S. Seneviratne, A. Seneviratne, P. Mohapatra, and A. Mahanti. Predicting user traits from a snapshot of apps installed on a smartphone. Mobile Computing and Communications Review, 18(2):1–8, 2014.10.1145/2636242.2636244Search in Google Scholar

[31] M. Shahzad, A. X. Liu, and A. Samuel. Secure Unlocking of Mobile Touch Screen Devices by Simple Gestures – You can see it but you can not do it. Proc. of MobiCom, page 39, 2013.10.1145/2500423.2500434Search in Google Scholar

[32] M. Sherman, G. Clark, Y. Yang, S. Sugrim, A. Modig, J. Lindqvist, A. Oulasvirta, and T. Roos. User-generated free-form gestures for authentication: Security and memorability. In Proceedings of the 12th annual international conference on Mobile systems, applications, and services, pages 176–189. ACM, 2014.10.1145/2594368.2594375Search in Google Scholar

[33] E. Shi, Y. Niu, M. Jakobsson, and R. Chow. Implicit authentication through learning user behavior. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 6531 LNCS:99–113, 2011.10.1007/978-3-642-18178-8_9Search in Google Scholar

[34] L. Sweeney. Simple demographics often identify people uniquely. Carnegie Mellon University, Data Privacy Working Paper 3. Pittsburgh 2000, pages 1–34, 2000.Search in Google Scholar

[35] M. Tamviruzzaman, S. I. Ahamed, C. S. Hasan, and C. O’brien. ePet:when cellular phone learns to recognize its owner. Proceedings of the 2nd ACM workshop on Assurable and usable security configuration - SafeConfig ’09, page 13, 2009.10.1145/1655062.1655066Search in Google Scholar

[36] C. M. Tey, P. Gupta, and D. Gao. I can be You: Questioning the use of Keystroke Dynamics as Biometrics. 20th Annual Network and Distributed System Security Symposium - NDSS ’13, pages 1 – 16, 2013.Search in Google Scholar

[37] H. Xu, Y. Zhou, and M. R. Lyu. Towards Continuous and Passive Authentication via Touch Biometrics: An Experimental Study on Smartphones. SOUPS ’14: Proceedings of the Tenth Symposium On Usable Privacy and Security, pages 187–198, 2014.Search in Google Scholar

[38] T.-F. Yen, Y. Xie, F. Yu, R. P. Yu, and M. Abadi. Host Fingerprinting and Tracking on the Web: Privacy and Security Implications. Network and Distributed System Security Symposium, pages 1–16, 2012.Search in Google Scholar

[39] S. Zahid, M. Shahzad, S. A. Khayam, and M. Farooq. Keystroke-based User Identification on Smart Phones.pdf. pages 1–18.Search in Google Scholar

[40] X. Zhao, T. Feng, and W. Shi. Continuous mobile authentication using a novel Graphic Touch Gesture Feature. IEEE 6th International Conference on Biometrics: Theory, Applications and Systems, BTAS 2013, 2013.10.1109/BTAS.2013.6712747Search in Google Scholar

[41] N. Zheng, K. Bai, H. Huang, and H. Wang. You are how you touch: User verification on smartphones via tapping behaviors. Proceedings - International Conference on Network Protocols, ICNP, pages 221–232, 2014.10.1109/ICNP.2014.43Search in Google Scholar

[42] Z. Zhou, W. Diao, X. Liu, and K. Zhang. Acoustic Fingerprinting Revisited: Generate Stable Device ID Stealthily with Inaudible Sound. Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security - CCS ’14, pages 429–440, 2014.10.1145/2660267.2660300Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo