Jump to ContentJump to Main Navigation
Show Summary Details
More options …

Proceedings on Privacy Enhancing Technologies

4 Issues per year

Open Access
Online
ISSN
2299-0984
See all formats and pricing
More options …

Fingerprinting Mobile Devices Using Personalized Configurations

Andreas Kurtz
  • Corresponding author
  • Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU)
  • Email:
/ Hugo Gascon
  • University of Göttingen
  • Email:
/ Tobias Becker
  • Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU)
  • Email:
/ Konrad Rieck
  • University of Göttingen
  • Email:
/ Felix Freiling
  • Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU)
  • Email:
Published Online: 2015-09-08 | DOI: https://doi.org/10.1515/popets-2015-0027

Abstract

Recently, Apple removed access to various device hardware identifiers that were frequently misused by iOS third-party apps to track users. We are, therefore, now studying the extent to which users of smartphones can still be uniquely identified simply through their personalized device configurations. Using Apple’s iOS as an example, we show how a device fingerprint can be computed using 29 different configuration features. These features can be queried from arbitrary thirdparty apps via the official SDK. Experimental evaluations based on almost 13,000 fingerprints from approximately 8,000 different real-world devices show that (1) all fingerprints are unique and distinguishable; and (2) utilizing a supervised learning approach allows returning users or their devices to be recognized with a total accuracy of 97% over time

Keywords: Fingerprinting; Apple iOS; Mobile Device; Privacy

References

  • [1] Apple, “Worldwide Developer’s Conference (WWDC) Keynote 2014.” http://devstreaming.apple.com/videos/wwdc/2014/101xx36lr6smzjo/101/101_hd.mov.Google Scholar

  • [2] AppBrain Stats, “Distribution of free vs. paid Android apps.” http://www.appbrain.com/stats/free-and-paid-androidapplications.Google Scholar

  • [3] M. Egele, C. Kruegel, E. Kirda, and G. Vigna, “Pios: Detecting privacy leaks in ios applications.,” in NDSS, 2011.Google Scholar

  • [4] A. Kurtz, A. Weinlein, C. Settgast, and F. Freiling, “DiOS: Dynamic Privacy Analysis of iOS Applications,” Tech. Rep. CS-2014-03, June 2014.Google Scholar

  • [5] M. C. Grace, W. Zhou, X. Jiang, and A.-R. Sadeghi, “Unsafe exposure analysis of mobile in-app advertisements,” in Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks, pp. 101-112, ACM, 2012.Google Scholar

  • [6] Google, “Android Developer Reference, TelephonyManager, getDeviceId().” http://developer.android.com/reference/android/telephony/TelephonyManager.html#getDeviceId().Google Scholar

  • [7] Y. Agarwal and M. Hall, “Protectmyprivacy: detecting and mitigating privacy leaks on ios devices using crowdsourcing,” in Proceeding of the 11th annual international conference on Mobile systems, applications, and services, pp. 97-110, ACM, 2013.Google Scholar

  • [8] Apple, “Worldwide Developer’s Conference (WWDC) Keynote 2014.” http://devstreaming.apple.com/videos/wwdc/2014/101xx36lr6smzjo/101/101_hd.mov.Google Scholar

  • [9] P. Eckersley, “How unique is your web browser?,” in Privacy Enhancing Technologies, pp. 1-18, Springer, 2010.Google Scholar

  • [10] N. Nikiforakis, A. Kapravelos, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna, “Cookieless monster: Exploring the ecosystem of web-based device fingerprinting,” in Security and Privacy (SP), 2013 IEEE Symposium on, pp. 541-555, IEEE, 2013.Google Scholar

  • [11] G. Acar, C. Eubank, S. Englehardt, M. Juarez, A. Narayanan, and C. Diaz, “The web never forgets: Persistent tracking mechanisms in the wild,” in Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS 2014), 2014.Google Scholar

  • [12] K. Boda, Á. M. Földes, G. G. Gulyás, and S. Imre, “User tracking on the web via cross-browser fingerprinting,” in Information Security Technology for Applications, pp. 31-46, Springer, 2012.Google Scholar

  • [13] K. Mowery and H. Shacham, “Pixel perfect: Fingerprinting canvas in html5,” Proceedings of W2SP, 2012.Google Scholar

  • [14] J. Lukas, J. Fridrich, and M. Goljan, “Digital camera identification from sensor pattern noise,” Information Forensics and Security, IEEE Transactions on, vol. 1, no. 2, pp. 205-214, 2006.Google Scholar

  • [15] M. Chen, J. Fridrich, M. Goljan, and J. Lukás, “Determining image origin and integrity using sensor noise,” Information Forensics and Security, IEEE Transactions on, vol. 3, no. 1, pp. 74-90, 2008.Google Scholar

  • [16] O. Çeliktutan, B. Sankur, and I. Avcibas, “Blind identification of source cell-phone model,” Information Forensics and Security, IEEE Transactions on, vol. 3, no. 3, pp. 553-566, 2008.Google Scholar

  • [17] J. R. Corripio, A. Sandoval Orozco, L. Garcia Villalba, J. C. Hernandez-Castro, and S. J. Gibson, “Source smartphone identification using sensor pattern noise and wavelet transform,” 2013.Google Scholar

  • [18] H. Bojinov, Y. Michalevsky, G. Nakibly, and D. Boneh, “Mobile device identification via sensor fingerprinting,” arXiv preprint arXiv:1408.1416, 2014.Google Scholar

  • [19] A. Das, N. Borisov, and M. Caesar, “Do you hear what i hear? fingerprinting smart devices through embedded acoustic components,” 2014.Google Scholar

  • [20] Z. Zhou, W. Diao, X. Liu, and K. Zhang, “Acoustic fingerprinting revisited: Generate stable device id stealthy with inaudible sound,” arXiv preprint arXiv:1407.0803, 2014.Google Scholar

  • [21] S. Dey, N. Roy, W. Xu, R. R. Choudhury, and S. Nelakuditi, “Accelprint: Imperfections of accelerometers make smartphones trackable,” in Proceedings of the Network and Distributed System Security Symposium (NDSS), 2014.Google Scholar

  • [22] S. Seneviratne, A. Seneviratne, P. Mohapatra, and A. Mahanti, “Predicting user traits from a snapshot of apps installed on a smartphone,” ACM SIGMOBILE Mobile Computing and Communications Review, vol. 18, no. 2, pp. 1-8, 2014.Google Scholar

  • [23] A. J. Oliner, A. P. Iyer, I. Stoica, E. Lagerspetz, and S. Tarkoma, “Carat: Collaborative Energy Diagnosis for Mobile Devices,” Proceedings of the 11th ACM Conference on Embedded Networked Sensor Systems, pp. 10:1--10:14, 2013.Google Scholar

  • [24] Apple, “Submitting Apps that Use the Advertising Identifier.” https://developer.apple.com/news/?id=08282014a.Google Scholar

  • [25] Y. Lechelle, “OpenUDID.” https://github.com/ylechelle/OpenUDID.Google Scholar

  • [26] Apple, “iOS 7.0 Release Notes.” https://developer.apple.com/library/ios/releasenotes/General/RN-iOSSDK-7.0/.Google Scholar

  • [27] Y. Lechelle, “OpenIDFA.” https://github.com/ylechelle/OpenIDFA.Google Scholar

  • [28] Apple, “iOS Developer Library.” https://developer.apple.com/library/ios/navigation/. Google Scholar

About the article

Received: 2015-04-15

Revised: 2015-07-15

Accepted: 2015-07-15

Published Online: 2015-09-08

Published in Print: 2016-01-01


Citation Information: Proceedings on Privacy Enhancing Technologies, ISSN (Online) 2299-0984, DOI: https://doi.org/10.1515/popets-2015-0027.

Export Citation

© 2015. This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 3.0 License. BY-NC-ND 3.0

Comments (0)

Please log in or register to comment.
Log in