Exploiting Sensor Multiplexing for Covert Channels and Application Fingerprinting on Mobile Devices

Mobile devices often distribute measurements from a single physical sensor to multiple applications using software-based multiplexing. On Android devices, the highest requested sampling frequency is returned to all applications even if other applications request measurements at lower frequencies. In this paper, we demonstrate that this design choice exposes practically exploitable side-channels based on frequency-key shifting. By carefully modulating sensor sampling frequencies in software, we show that unprivileged malicious applications can construct reliable spectral covert channels that bypass existing security mechanisms, e.g. Android's permissions framework. Moreover, we present a variant of this technique that allows an unprivileged malicious observer app to fingerprint other device applications and user interactions at a coarse-grained level. Both techniques do not impose any assumptions beyond application installation and accessing standard mobile services via the Android Sensors SDK. As such, they open a powerful attack vector that exploits subtle yet insecure design choices in mobile sensor stacks.