Security side channels enabled by smartphone user interaction

Adam J Aviv, University of Pennsylvania


As smartphones become ever more present and interwoven into the daily computing of individuals, a broader perspective of the differences between computer security and smartphone security must be considered. As a general purpose computer, smartphones inherently suffer from all the same computer security issues as traditional computers; however, there exists fundamental differences between smartphones and traditional computing in how we interact with smartphones via the touchscreen. Smartphones interaction is physical, hand-held, and tactile, and this thesis shows how this interaction leads to new side channel vulnerabilities. This is demonstrated through the study of two side channels: One based on external smartphone observations via photographic and forensic evidence, and the other based on internal smartphone observations via the smartphone's on-board sensors. First, we demonstrate a smudge attack, a side channel resulting from oily residues remaining on the touch screen surface post user input. We show that these external observations can reveal users' Android password patterns, and we show that properties of the Android password pattern, in particular, render it susceptible to this attack. Next, we demonstrate a sensor-based side channel that leverages the smartphones internal on-board sensor, particularly the accelerometer, to surreptitiously learn about user input. We show that such attacks are practical; however, broad dictionary based attacks may be challenging. The contributions of this thesis also speak to the future of security research as new computing platforms with new computing interfaces are developed. We argue that a broad perspective of the security of these new devices must be considered, including the computing interface.

Subject Area

Computer science

Recommended Citation

Aviv, Adam J, "Security side channels enabled by smartphone user interaction" (2012). Dissertations available from ProQuest. AAI3550749.