Stealing PINs via mobile sensors: actual risk versus user perception

Mehrnezhad, Maryam; Toreini, Ehsan; Shahandashti, Siamak F.; Hao, Feng

doi:10.1007/s10207-017-0369-x

Cited by 48 publications

(48 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Furthermore, it is expected that app stores such as the Apple app store and Google Play will screen the apps and impose severe penalties if the app is found to contain malicious content. However, in the browser-based attacks described in [11][12][13][14], we have demonstrated that these measures are ineffective. Apart from academic efforts, there are industrial solutions (e.g., Navenio (navenio.com)) that use some of these sensors such as the accelerometer to track users precisely indoors and outdoors.…”

Section: Sensor Management Challengesmentioning

confidence: 85%

“…In our previous research [11][12][13][14], we have shown that the sensor management problem is spreading from apps to browsers. We proposed and implemented the first JavaScript-based side channel attack revealing a wide range of sensitive information about users such as phone calls' timing, physical activities (sitting, walking, running, etc.…”

Section: Introductionmentioning

confidence: 99%

“…Through a series of user studies over the years [13,14], we concluded that mobile users are not generally familiar with most sensors. In addition, we observed that there is a significant disparity between the actual and perceived risk levels of sensors.…”

Section: Introductionmentioning

confidence: 99%

“…for motion sensors. In [14], we discussed how this observation, along with other factors, renders many academic and industry solutions ineffective at managing mobile sensors. Given that sensors are going beyond mobile devices, e.g., in a variety of IoT devices in smart homes and cities, the sensor security problem has already attracted more attention not only from researchers, but also from hackers.…”

Section: Introductionmentioning

confidence: 99%

“…Previous research [14,17] has focused on individual user studies to study human aspects of sensor security. In this paper, we present the results of a more advanced teaching method-working with sensor-enabled apps-on the risk level that users associate with the PIN discovery scenario for all sensors.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

What Is This Sensor and Does This App Need Access to It?

Mehrnezhad

Toreini

2019

Informatics

Self Cite

View full text Add to dashboard Cite

Mobile sensors have already proven to be helpful in different aspects of people’s everyday lives such as fitness, gaming, navigation, etc. However, illegitimate access to these sensors results in a malicious program running with an exploit path. While the users are benefiting from richer and more personalized apps, the growing number of sensors introduces new security and privacy risks to end users and makes the task of sensor management more complex. In this paper, first, we discuss the issues around the security and privacy of mobile sensors. We investigate the available sensors on mainstream mobile devices and study the permission policies that Android, iOS and mobile web browsers offer for them. Second, we reflect the results of two workshops that we organized on mobile sensor security. In these workshops, the participants were introduced to mobile sensors by working with sensor-enabled apps. We evaluated the risk levels perceived by the participants for these sensors after they understood the functionalities of these sensors. The results showed that knowing sensors by working with sensor-enabled apps would not immediately improve the users’ security inference of the actual risks of these sensors. However, other factors such as the prior general knowledge about these sensors and their risks had a strong impact on the users’ perception. We also taught the participants about the ways that they could audit their apps and their permissions. Our findings showed that when mobile users were provided with reasonable choices and intuitive teaching, they could easily self-direct themselves to improve their security and privacy. Finally, we provide recommendations for educators, app developers, and mobile users to contribute toward awareness and education on this topic.

show abstract

Section: Sensor Management Challengesmentioning

confidence: 85%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

What Is This Sensor and Does This App Need Access to It?

Mehrnezhad

Toreini

2019

Informatics

Self Cite

View full text Add to dashboard Cite

show abstract

Connecting Human to Physical-World: Security and Privacy Issues in Mobile Crowdsensing

Zhong

Huang

Yang³

et al. 2018

Wireless Networks

View full text Add to dashboard Cite

Towards Empowering the Human for Privacy Online

Coopamootoo

2019

Privacy and Identity Management. Fairness, Accountability, and Transparency in the Age of Big Data

View full text Add to dashboard Cite

While it is often claimed that users are more and more empowered via online technologies [4,16,17,31], the counterpart of privacy dis-empowerment is more than a suspicion [27]. From a humancomputer interaction perspective, the following have previously been observed (1) users still fail to use privacy technologies on a large scale;(2) a number of human-computer interaction mismatches exist that impact the use of privacy technologies [32,22,5,15,6,1]; and (3) the user aect dimension of privacy is fear focused [14]. This paper reports on a experts' perspectives on empowering users towards privacy. We facilitated a workshop with N = 12 inter-disciplinary privacy experts to gather opinions and discuss empowering case-studies We reviewed literature focusing on the empowering versus dis-empowering impact of online technologies, and looked into psychological empowerment and usable privacy research. The workshop participants pointed to a state of privacy dis-empowerment online, with human-computer interaction and business models as major themes. While it was clear that there is no clear-cut solution, supporting clearer communication channels was key to experts' mental models of empowered privacy online. They recommended enabling user understanding, not only for privacy threats but also in using privacy technologies and building user skills. To facilitate user interaction with complex secure communication tools, they suggested a transparency enhancing tool as a bridge between the user and encryption technology. The outcome of the workshop and our review support the need for an approach that enables the human user, as well as their interactions and their active participation. For that we postulate the application of psychological empowerment [33]. To our knowledge, this paper provides the rst known discussion among inter-disciplinary privacy experts on the topic of privacy dis-empowerment online, as well as the rst categorisation of HCI mismatches impacting the use of privacy technologies.

show abstract

Stealing PINs via mobile sensors: actual risk versus user perception

Cited by 48 publications

References 26 publications

What Is This Sensor and Does This App Need Access to It?

What Is This Sensor and Does This App Need Access to It?

Connecting Human to Physical-World: Security and Privacy Issues in Mobile Crowdsensing

Towards Empowering the Human for Privacy Online

Contact Info

Product

Resources

About