<efrbr:recordSet xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:efrbr="http://vfrbr.info/efrbr/1.1" xmlns:efrbr-work="http://vfrbr.info/efrbr/1.1/work" xmlns:efrbr-expression="http://vfrbr.info/efrbr/1.1/expression" xmlns:efrbr-manifestation="http://vfrbr.info/efrbr/1.1/manifestation" xmlns:efrbr-person="http://vfrbr.info/efrbr/1.1/person" xmlns:efrbr-corporateBody="http://vfrbr.info/efrbr/1.1/corporateBody" xmlns:efrbr-concept="http://vfrbr.info/efrbr/1.1/concept" xmlns:efrbr-structure="http://vfrbr.info/efrbr/1.1/structure" xmlns:efrbr-responsible="http://vfrbr.info/efrbr/1.1/responsible" xmlns:efrbr-subject="http://vfrbr.info/efrbr/1.1/subject" xmlns:efrbr-other="http://vfrbr.info/efrbr/1.1/other" xsi:schemaLocation="http://vfrbr.info/efrbr/1.1 http://vfrbr.info/schemas/1.1/efrbr.xsd"><efrbr:entities><efrbr-work:work identifier="http://purl.tuc.gr/dl/dias/0F4254BA-DFFD-48B7-8E4C-8E0EE26D8CF8"><efrbr-work:titleOfTheWork>The seven deadly sins of the HTML5 WebAPI: a large-scale study on the risks of mobile sensor-based attacks</efrbr-work:titleOfTheWork></efrbr-work:work><efrbr-expression:expression identifier="http://purl.tuc.gr/dl/dias/0F4254BA-DFFD-48B7-8E4C-8E0EE26D8CF8"><efrbr-expression:titleOfTheExpression>The seven deadly sins of the HTML5 WebAPI: a large-scale study on the risks of mobile sensor-based attacks</efrbr-expression:titleOfTheExpression><efrbr-expression:formOfExpression vocabulary="DIAS:TYPES">
            Peer-Reviewed Journal Publication
            Δημοσίευση σε Περιοδικό με Κριτές
         </efrbr-expression:formOfExpression><efrbr-expression:dateOfExpression type="issued">2021-06-01</efrbr-expression:dateOfExpression><efrbr-expression:dateOfExpression type="published">2020</efrbr-expression:dateOfExpression><efrbr-expression:languageOfExpression vocabulary="iso639-1">en</efrbr-expression:languageOfExpression><efrbr-expression:summarizationOfContent>Modern smartphone sensors can be leveraged for providing novel functionality and greatly improving the user experience. However, sensor data can be misused by privacy-invasive or malicious entities. Additionally, a wide range of other attacks that use mobile sensor data have been demonstrated; while those attacks have typically relied on users installing malicious apps, browsers have eliminated that constraint with the deployment of HTML5 WebAPI.

In this article, we conduct a comprehensive evaluation of the multifaceted threat that mobile web browsing poses to users by conducting a large-scale study of mobile-specific HTML5 WebAPI calls across more than 183K of the most popular websites. We build a novel testing infrastructure consisting of actual smartphones on top of a dynamic Android app analysis framework, allowing us to conduct an end-to-end exploration. In detail, our system intercepts and tracks data access in real time, from the WebAPI JavaScript calls down to the Android system calls. Our study reveals the extent to which websites are actively leveraging the WebAPI for collecting sensor data, with 2.89% of websites accessing at least one sensor. To provide a comprehensive assessment of the risks of this emerging practice, we create a taxonomy of sensor-based attacks from prior studies and present an in-depth analysis by framing our collected data within that taxonomy. We find that 1.63% of websites can carry out at least one attack and emphasize the need for a standardized policy across all browsers and the ability for users to control what sensor data each website can access.</efrbr-expression:summarizationOfContent><efrbr-expression:useRestrictionsOnTheExpression type="creative-commons">http://creativecommons.org/licenses/by/4.0/</efrbr-expression:useRestrictionsOnTheExpression><efrbr-expression:note type="journal name">ACM Transactions on Privacy and Security</efrbr-expression:note><efrbr-expression:note type="journal volume">23</efrbr-expression:note><efrbr-expression:note type="journal number">4</efrbr-expression:note><efrbr-expression:note type="page range">1–31</efrbr-expression:note></efrbr-expression:expression><efrbr-person:person identifier="E6974649-0C3B-4679-A81A-CF2890484C6B"><efrbr-person:nameOfPerson vocabulary="">
            Diamantaris Michalis
         </efrbr-person:nameOfPerson></efrbr-person:person><efrbr-person:person identifier="984C7CF0-CEB5-48C6-86D1-1DE470C8BFDB"><efrbr-person:nameOfPerson vocabulary="">
            Marcantoni Francesco
         </efrbr-person:nameOfPerson></efrbr-person:person><efrbr-person:person identifier="http://users.isc.tuc.gr/~sioannidis"><efrbr-person:nameOfPerson vocabulary="TUC:LDAP">
            Ioannidis Sotirios
            Sotirios
         </efrbr-person:nameOfPerson></efrbr-person:person><efrbr-person:person identifier="B9839FDC-DCE5-4CA8-BE80-E4F3795951A8"><efrbr-person:nameOfPerson vocabulary="">
            Polakis Jason
         </efrbr-person:nameOfPerson></efrbr-person:person><efrbr-corporateBody:corporateBody identifier="https://v2.sherpa.ac.uk/id/publisher/21"><efrbr-corporateBody:nameOfTheCorporateBody vocabulary="S/R:PUBLISHERS">
            Association for Computing Machinery (ACM)
         </efrbr-corporateBody:nameOfTheCorporateBody></efrbr-corporateBody:corporateBody><efrbr-concept:concept identifier="12AB5F3E-174F-4D63-95D0-815DAD443318"><efrbr-concept:termForTheConcept>
            Android
         </efrbr-concept:termForTheConcept></efrbr-concept:concept><efrbr-concept:concept identifier="7E8A9645-92F9-48DC-B83B-1C4C3EE18A9E"><efrbr-concept:termForTheConcept>
             Mobile HTML5
         </efrbr-concept:termForTheConcept></efrbr-concept:concept><efrbr-concept:concept identifier="EB52E52E-C95A-462B-9A91-8DCA25F89DF2"><efrbr-concept:termForTheConcept>
            WebAPI
         </efrbr-concept:termForTheConcept></efrbr-concept:concept><efrbr-concept:concept identifier="4A2A8097-1251-4468-A53F-E9B736CB4E88"><efrbr-concept:termForTheConcept>
            Mobile sensors
         </efrbr-concept:termForTheConcept></efrbr-concept:concept><efrbr-concept:concept identifier="1C78B6F5-B256-4E53-AF4F-547F4EE8B750"><efrbr-concept:termForTheConcept>
            Sensor attack taxonomy
         </efrbr-concept:termForTheConcept></efrbr-concept:concept><efrbr-concept:concept identifier="5FE0024F-ECA8-44D3-BB04-1EF0F72B0C0D"><efrbr-concept:termForTheConcept>
            Browser guidelines
         </efrbr-concept:termForTheConcept></efrbr-concept:concept></efrbr:entities><efrbr:relationships><efrbr-structure:structureRelations><efrbr-structure:realizedThrough sourceEntity="work" sourceURI="http://purl.tuc.gr/dl/dias/0F4254BA-DFFD-48B7-8E4C-8E0EE26D8CF8" targetEntity="expression" targetURI="http://purl.tuc.gr/dl/dias/0F4254BA-DFFD-48B7-8E4C-8E0EE26D8CF8"/></efrbr-structure:structureRelations><efrbr-responsible:responsibleRelations><efrbr-responsible:createdBy sourceEntity="work" sourceURI="http://purl.tuc.gr/dl/dias/0F4254BA-DFFD-48B7-8E4C-8E0EE26D8CF8" targetEntity="person" targetURI="E6974649-0C3B-4679-A81A-CF2890484C6B"/><efrbr-responsible:realizedBy sourceEntity="expression" sourceURI="http://purl.tuc.gr/dl/dias/0F4254BA-DFFD-48B7-8E4C-8E0EE26D8CF8" targetEntity="person" targetURI="E6974649-0C3B-4679-A81A-CF2890484C6B" role="author"/><efrbr-responsible:realizedBy sourceEntity="expression" sourceURI="http://purl.tuc.gr/dl/dias/0F4254BA-DFFD-48B7-8E4C-8E0EE26D8CF8" targetEntity="person" targetURI="984C7CF0-CEB5-48C6-86D1-1DE470C8BFDB" role="author"/><efrbr-responsible:realizedBy sourceEntity="expression" sourceURI="http://purl.tuc.gr/dl/dias/0F4254BA-DFFD-48B7-8E4C-8E0EE26D8CF8" targetEntity="person" targetURI="http://users.isc.tuc.gr/~sioannidis" role="author"/><efrbr-responsible:realizedBy sourceEntity="expression" sourceURI="http://purl.tuc.gr/dl/dias/0F4254BA-DFFD-48B7-8E4C-8E0EE26D8CF8" targetEntity="person" targetURI="B9839FDC-DCE5-4CA8-BE80-E4F3795951A8" role="author"/><efrbr-responsible:realizedBy sourceEntity="expression" sourceURI="http://purl.tuc.gr/dl/dias/0F4254BA-DFFD-48B7-8E4C-8E0EE26D8CF8" targetEntity="person" targetURI="https://v2.sherpa.ac.uk/id/publisher/21" role="publisher"/></efrbr-responsible:responsibleRelations><efrbr-subject:subjectRelations><efrbr-subject:hasSubject sourceEntity="work" sourceURI="http://purl.tuc.gr/dl/dias/0F4254BA-DFFD-48B7-8E4C-8E0EE26D8CF8" targetEntity="concept" targetURI="12AB5F3E-174F-4D63-95D0-815DAD443318"/><efrbr-subject:hasSubject sourceEntity="work" sourceURI="http://purl.tuc.gr/dl/dias/0F4254BA-DFFD-48B7-8E4C-8E0EE26D8CF8" targetEntity="concept" targetURI="7E8A9645-92F9-48DC-B83B-1C4C3EE18A9E"/><efrbr-subject:hasSubject sourceEntity="work" sourceURI="http://purl.tuc.gr/dl/dias/0F4254BA-DFFD-48B7-8E4C-8E0EE26D8CF8" targetEntity="concept" targetURI="EB52E52E-C95A-462B-9A91-8DCA25F89DF2"/><efrbr-subject:hasSubject sourceEntity="work" sourceURI="http://purl.tuc.gr/dl/dias/0F4254BA-DFFD-48B7-8E4C-8E0EE26D8CF8" targetEntity="concept" targetURI="4A2A8097-1251-4468-A53F-E9B736CB4E88"/><efrbr-subject:hasSubject sourceEntity="work" sourceURI="http://purl.tuc.gr/dl/dias/0F4254BA-DFFD-48B7-8E4C-8E0EE26D8CF8" targetEntity="concept" targetURI="1C78B6F5-B256-4E53-AF4F-547F4EE8B750"/><efrbr-subject:hasSubject sourceEntity="work" sourceURI="http://purl.tuc.gr/dl/dias/0F4254BA-DFFD-48B7-8E4C-8E0EE26D8CF8" targetEntity="concept" targetURI="5FE0024F-ECA8-44D3-BB04-1EF0F72B0C0D"/></efrbr-subject:subjectRelations><efrbr-other:otherRelations/></efrbr:relationships></efrbr:recordSet>