Tracking Mobile Web Users Through Motion Sensors: Attacks and Defenses

Abstract

Modern smartphones contain motion sensors, such as accelerometers and gyroscopes. These sensors have many useful applications; however, they can also be used to uniquely identify a phone by measuring anomalies in the signals, which are a result of manufacturing imperfections. Such measurements can be conducted surreptitiously by web page publishers or advertisers and can thus be used to track users across applications, websites, and visits. We analyze how well sensor fingerprinting works under realworld constraints. We first develop a highly accurate fingerprinting mechanism that combines multiple motion sensors and makes use of inaudible audio stimulation to improve detection. We evaluate this mechanism using measurements from a large collection of smartphones, in both lab and public conditions. We then analyze techniques to mitigate sensor fingerprinting either by calibrating the sensors to eliminate the signal anomalies, or by adding noise that obfuscates the anomalies. We evaluate the impact of calibration and obfuscation techniques on the classifier accuracy; we also look at how such mitigation techniques impact the utility of the motion sensors.