2017 2nd International Conference on Computer Science and Technology (CST 2017) ISBN: 978-1-60595-461-5
Zero-Permission Mobile Device Identification Based on the
Similarity of Browser Fingerprints
Nian-hua KANG
1,2, Ming-zhi CHEN
1,2,a*,
Ying-yan FENG
1,2,Wei-ning LIN
1,2Chuan-bao LIU
1,2and Guang-yao LI
1,21College of Mathematics and Computer Science, Fuzhou University, Fuzhou Fujian 350108, China.
2Key Laboratory of Information Security of Network System in Fujian Province, Fuzhou Fujian 350108, China.
amchen@fzu.edu.cn
*Corresponding author
Keywords: Browser fingerprints, Device identification, Similarity calculation, Fingerprints matching.
Abstract. Mobile device identification techniques can be applied to security authentication, access control and other fields. It is used to uniquely indentify a mobile device through explicit identifiers, e.g., UUID, Android ID, or according to the difference of mobile device acceleration sensor. However, these methods collect features data requiring specified conditions or relying on sensitive permissions. To settle these issues, we propose a zero-permission mobile device identification algorithm based on similarity of browser fingerprints. The algorithm firstly obtains 11 features that are acquired without requesting any permission, e.g., User-agent, screen resolution. These 11 features are combined to form a browser fingerprint of mobile device. Then, defining the different similarity calculation methods of features, and matching fingerprints to identify device according to similarity. Finally, Experiments verify the feasibility and accuracy of the algorithm, the results show that the algorithm can effectively identify device.
Introduction
A forecast from the International Data Corporation (IDC) Worldwide Quarterly Mobile Phone Tracker predicts worldwide smartphone shipment volumes to grow 4.2% in 2017, and Shipments are forecast to reach 1.53 billion units in 2017 and grow to 1.77 billion in 2021[1]. With the development of computer technology and the popularity of mobile devices, more and more information is exchanged on the Internet through mobile devices. Mobile device identification techniques will be of particular importance for the security of mobile networks, such as avoiding spoofing attacks, and they can be applied to access control, accurate advertising and so on [2]. Statistical studies by Han et al. found that mobile device identification and tracking are widespread [3].
Support Vector Machine with Weighted Majority Voting (WSVM-WMV) for a closed-set mobile phone identification task. Kyle et al. [6] discussed the use of keystroke dynamics, a form of behavioral biometrics that deals with the measure of how a person types, and the utilization of accelerometer biometrics as a form of behavioral biometric that measures how a person holds his mobile device. But their study is limited to mobile devices using Android OS. Although mobile devices of the same type most likely share the same hardware, certain sensors may suffer from microscopic imperfections during the manufacturing process. Tom et al. [7] identified device according to the variations on the sensor data returned by a mobile device’s accelerometer. But this method only considers accelerometer data that was collected when the device was placed on a hard surface and required a longer time for collecting sufficient accelerometer dates. The literature [8,9] identified device through the difference in device microphones and speakers induce anomalies in the sound that is produced and recorded, but it required record-audio permission.
As the convenience of mobile devices and the improvement of browser performance, more and more users access to Web via mobile device browser. It shows a growing trend of web page access through mobile devices [10]. Eckersley founded that when users visit the Web site, Web site can collect the information of device hardware and software configuration by analyzing information interaction of Web access, the result of these information can be used as a fingerprint for device identification [11]. At present, the research of browser fingerprints is mainly carried out on computer. However, upgrading the browser version, installing new fonts or other operations of users will cause the fingerprint change, the method of fingerprint static matching does not take into account the possible changes in device fingerprint, it cannot identify device after features changes.
In view of the above problems, we propose a zero-permission mobile device identification algorithm based on the similarity of browser fingerprints. The algorithm generates a device fingerprint by collecting 11 features of mobile device, such as UserAgent, ScreenResolution, and PixelRatio and so on. And defining the different similarity calculation methods of feature, identifying device based on similarities. Experimental results show that the algorithm can effectively identify device.
Features Collection and Fingerprint Generation
Different from IMEI, UUID and other unique identifier, there is a probability of features through the web site to collect in different devices with the same attribute value. A single feature cannot uniquely identify a device, but each feature has different value of entropy, selecting the feature which contains enough entropy and the fingerprint generated by combining them can identify a device. We studied the method of obtaining features and the entropy of features, and select the features shown in Table 1 to be combined into a fingerprint.
The method of Canvas fingerprinting was firstly proposed by Mowery et al [13]. It obtained the difference of image rendering data to generate fingerprints through HTML5 Canvas API and WebGL. With the increasing number of browsers supporting HTML5, we apply the Canvas rendering difference as a feature to the device fingerprint.
Table 1. List of features.
Features Description
UserAgent Contains the OS type, version and browser type, version ColorDepth Color depth of mobile device
PixelRatio The ratio of physical pixel and device-independent pixels ScreenResolution Screen resolution of mobile device
TimeZone TimeZone of mobile device
SessionStorage/LocalStorage Whether to support SessionStorage and LocalStorage Platform Platform of mobile device
Canvas image rendering data through HTML5 Canvas API Language OS language and browser language
Fonts List of fonts
MaxTouchPoints The maximum number of supported touch points.
Mobile Device Identification Algorithm Fingerprints Similarity Model
The study [14] reveals that some features used in fingerprinting undergo short-term changes, which makes continuous device identification difficult. Upgrading the browser, modifying the language or other operations will cause changes of a device fingerprint.
The method of fingerprints static matching does not take into account the possible changes in a device fingerprint, it cannot identify the same device after features changes. Therefore, we propose a method for identifying device based on the degree of similarity. The similarity degree of fingerprints is used to characterize the difference between the two fingerprints. The greater similarity degree of fingerprints, the greater probability that the two fingerprints are from the same device. In the mobile device, the probability of different features change is different. According to the probability, we define different functions to calculate degree of similarity.
Due to the characteristics of mobile devices, the possibility of change about the PixelRatio, ScreenResolution, TimeZone, MaxTouchPoints, Platform, ColorDepth from the same device is very small. The values of SessionStorage and LocalStorage only change in the privacy browsing mode. In this paper, these features are classified as a class, and we define the similarity calculation functionF(fp1,fp2) , which is used to calculate the similarity of the above features between fingerprint fp1and
fingerprintfp2. The calculation method is shown in formula (1).
(
)
= = × = 8 1 8 1 2 1 2 1 ) , ( , i i i i i W fp fp d W fp fpF (1)
i
W is the entropy of feature i.In this paper,the value of Wirefers to the entropy in
[2,15].di
(
fp1,fp2)
is the similarity value of feature i in fp1and fp2. The valuecalculation method is shown in formula (2).
= ≠
= 10 (( )) (( ))
The device OS and browser are the main factors that affect the result of UserAgent and fonts. In this paper, the similarity of UserAgent is calculated by formula (3). LD is the Levenshtein distance of the two UserAgent, the length value is two UserAgent string, the value of length is the number of strings in longer length within the two UserAgent strings.
length LD D=1−
(3)
The data type of fonts is list, the calculation method of similarity is shown in formula (4), J
( )
A,B is the Jaccard distance of A and B.(
)
B A
B A B A J
∪ ∩ =
, (4)
The OS, browser, hardware configuration of device are the main factors that affect the results of Canvas rendering. we compare each pixel between tow results of Canvas and calculate the similarity of Canvas rendering by formula (5).
n attr S
n
i i
=
= 1 (5)
= ≠ =
) ( )
( 1
) ( )
( 0
2 1
2 1
fp pixel fp
pixel
fp pixel fp
pixel attr
i i
i i
i , pixeli(fp1), pixeli(fp2)are the pixel at i
point.
Identification Algorithm
Figure 1. Device identification.
The main steps of device identification:
1. Collecting feature and generating a fingerprint.
2. To determine whether there is the same fingerprint in the database. If present, the device is identified. If it does not exist, calculating the similarity of each feature. 3. If F
(
fp1, fp2)
>T 1, proceed to the next step. Otherwise, the fingerprint isdetermined from the new device, and the new device fingerprint is added to the database.
4. If D > T 2 and J
(
A,B)
>T 3, proceed to the next step. Otherwise, the fingerprintis determined from the new device, and the new device fingerprint is added to the database.
5.If S >T 4 , the fingerprint is identified by the device that has been recorded and
updating the fingerprint. Otherwise, the fingerprint is determined from the new device, and the new device fingerprint is added to the database.
Experimental Results and Analysis
Table 2. Change of features.
Features Times of change
UserAgent 19
ColorDepth 0
PixelRatio 0
ScreenResolution 0
TimeZone 2
SessionStorage/LocalStorage 3
platform 0
canvas 11
language 5
Fonts 4
maxTouchPoints 0
The change of any feature collected in the experiment will affect the result of a fingerprint generation.In the test period, the change of fingerprints is shown in Figure 2. Over time, changes continue to increase.
0 5 10 15 20 25 30 35
0 5 10 15 20 25
time/day
ra
[image:6.612.205.407.301.400.2]te/% rate of change
Figure 2. Change rate of fingerprint.
Taking two fingerprints in the experiment as an example, the feasibility of fingerprint identification based on similarity is analyzed. The experiment respectively gets the fingerprint before browser upgrading and the fingerprint after browser upgrading from the same device. Except for UserAgent and Canvas, the two fingerprints have the same features. The UserAgent of the two fingerprints are shown in Table 3. The calculated similarity is 90.9%, the similarity of two canvas is 99.859% by comparing pixel. The results show that two fingerprints have high similarity, Selecting the appropriate threshold can effectively identify the device in the fingerprint, even some of its features have changed.
Table 3. UserAgent string.
Fingerprint UserAgent
FP1 Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_1 like Mac OS X; zh-CN) AppleWebKit/537.51.1 (KHTML, like Gecko) Mobile/14A403
UCBrowser/11.0.6.831 Mobile
FP2 Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_1 like Mac OS X; zh-CN) AppleWebKit/537.51.1 (KHTML, like Gecko) Mobile/14A403
UCBrowser/11.4.8.938 Mobile AliApp(TUnionSDK/0.1.15)
[image:6.612.121.496.559.644.2]
FN FP TN TP
TN TP accuracy
+ + +
+
= (6)
TP is the number of successful identification and correct, FP is the number of successful identification but false judgment. TN is the number of failed identification but correct judgment (First visit from a new device), FN is the number of failed identification and false judgment. In our experiment, the accuracy of the static method and the accuracy of the method based on fingerprint similarity are shown in Table 4.
Table 4. Accuracy of identification.
the method of static matching the method based on fingerprint similarity
Accuracy 76.3% 83.2%
In the static matching method, the change of any features can cause false positives, the fingerprints from the same device were mistakenly identified as fingerprints from different devices. By contrast, the identification method based on fingerprint similarity has better accuracy and robustness.
Conclusion
In this work, we propose a zero-permission mobile device identification algorithm based on the similarity of browser fingerprints. The algorithm generates a browser fingerprint by collecting 11 features of mobile device. And defining the different similarity calculation methods of feature, identifying device based on similarities. Experimental results show that the algorithm can effectively identify device, and it has better accuracy and robustness then the method of static matching.
In the future work, we will collect more fingerprint samples and select different T1, T2, T3, T4 thresholds for experimental test. In addition, we will try to choose more features to improve the accuracy.
Acknowledgement
This research was supported by the Regional Development Project of FuJian provincial science and technology department. (No. 2015H4005) and Industrial Guidance Project of FuJian provincial science and technology department. (No. 2015H0020)
References
[1] IDC. (Mar. 2017). Smartphone Volumes Expected to Rebound in 2017 with a Five-Year Growth Rate of 3.8%, Driving Annual Shipments to 1.53 Billion by 2021,
According to IDC. [Online]. Available:
http://www.idc.com/getdoc.jsp?containerId=prUS42334717
[2] W. Wu, J. Wu, Y. Wang, et al. Efficient Fingerprinting-based Android Device Identification with Zero-permission Identifiers[J]. 2016, 99:1-1.
[3] S. Han, J. Jung, D. Wetherall. An empirical study of third-party tracking by mobile applications in the wild[R]. Poster of 9th USENIX Symposium on Networked Systems Design and Implementation.2012.
[5] Y. Jiang, F. H. F. Leung. Mobile Phone Identification from Speech Recordings Using Weighted Support Vector Machine[C]. Industrial Electronics Society, IECON 2016 - 42nd Annual Conference of the IEEE.2016.
[6] K. R. Corpus, R. J. D. Gonzales, Morada A S, et al. Mobile user identification through authentication using keystroke dynamics and accelerometer biometrics[C]. International Conference on Mobile Software Engineering and Systems. ACM, 2016:11-12.
[7] T. V. Goethem, W. Scheepers,D. Preuveneers, et al. Accelerometer-Based Device Fingerprinting for Multi-factor Mobile Authentication[M].Engineering Secure Software and Systems. 2016.
[8] Z. Zhou, W. Diao, X. Liu, et al. Acoustic Fingerprinting Revisited: Generate Stable Device ID Stealthily with Inaudible Sound[C].2014:429-440.
[9] A. Das, N. Borisov, M. Caesar. Do You Hear What I Hear? Fingerprinting Smart Devices Through Embedded Acoustic Components[C]. ACM Sigsac Conference on Computer and Communications Security. ACM, 2014:441-452.
[10] Fazal-e-Amin, A. S. Alghamdi, I. Ahmad. Identification of frequently used features of smartphone web browsers[C]. Open Systems. IEEE, 2014:133-138.
[11] P. Eckersley. How Unique Is Your Browser[C]. Proceedings of the 10th Privacy Enhancing Technologies Symposium,2010:1-18.
[12] T. Yamada, T. Saito, K. Takasu, et al. Robust Identification of Browser Fingerprint Comparison Using Edit Distance[C]. International Conference on Broadband and Wireless Computing, Communication and Applications. IEEE, 2015:107-113.
[13] K. Mowery, H. Shacham. Pixel Perfect: Fingerprinting Canvas in HTML5[C]. Proceedings of W2SP 2012.IEEE Computer Society, 2012.
[14] Y. Iso, N. Kiryu, T. Saito. An implementation of Browser Fingerprinting Website and analysis of its collected data[J]. in Proc. of Computer Security Symposium (CSS2014), 2014.
