Mobile devices often distribute measurements from a single physical sensor to multiple applications using software-based multiplexing. On Android devices, the highest requested sampling frequency is returned to all applications even if other applications request measurements at lower frequencies. In this paper, we demonstrate that this design choice exposes practically exploitable side-channels based on frequency-key shifting. By carefully modulating sensor sampling frequencies in software, we show that unprivileged malicious applications can construct reliable spectral covert channels that bypass existing security mechanisms, e.g. Android's permissions framework. Moreover, we present a variant of this technique that allows an unprivileged malicious observer app to fingerprint other device applications and user interactions at a coarse-grained level. Both techniques do not impose any assumptions beyond application installation and accessing standard mobile services via the Android Sensors SDK. As such, they open a powerful attack vector that exploits subtle yet insecure design choices in mobile sensor stacks.
翻译:移动设备通常使用基于软件的多路转换将测量从单一物理传感器向多种应用分配测量数据。 在安非他明装置上,即使其他应用请求在较低频率进行测量,所请求的最高取样频率也返回到所有应用中。 在本文中,我们证明,这一设计选择暴露了基于频率转换的可实际利用的侧通道。通过对软件中的传感器取样频率进行仔细调控,我们表明,无特权恶意应用可以建立可靠的光谱隐蔽通道,绕过现有的安全机制,例如安非罗尔的许可框架。此外,我们提出了一个技术的变种,允许一个没有特权的恶意观察者应用应用来鉴别其他设备应用程序和用户在粗粗的级别上的互动。两种技术除了应用安装和通过Adroid传感器SDK获得标准移动服务之外,没有强加任何可加以利用的假设。因此,它们打开了一个强大的攻击矢量,利用移动传感器堆放的微妙但不安全的设计选择。