Extending Browser Extension Fingerprinting to Mobile Devices
Pages 141 - 146
Abstract
Browser extensions are tools that extend basic browser features to enhance web experience. It has been shown that extensions can be exploited to fingerprint users and even infer personal information about them. However, as browser extensions have been limited to desktops previously, no prior work has explored fingerprintability of extensions on mobile devices, despite the increasing extension support for mobile browsers. This paper aims to fill this gap by extending extension fingerprinting techniques, traditionally performed on desktops, to mobile phones. Out of the 16 chosen extensions, we discover that 6 extensions are uniquely identifiable by their client-side modifications. We present our experimental results through our evaluation of variable interactions between various browsers, devices, and extension lists, and investigate how shifting the attention from the list of installed extensions to the actual modification data can help attackers discriminate users better.
References
[1]
Gunes Acar, Marc Juarez, Nick Nikiforakis, Claudia Diaz, Seda Gürses, Frank Piessens, and Bart Preneel. 2013. FPDetective: Dusting the Web for Fingerprinters. In Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (Berlin, Germany) (CCS '13). Association for Computing Machinery, New York, NY, USA, 1129--1140. https://doi.org/10.1145/2508859.2516674
[2]
Yinzhi Cao, Song Li, and Erik Wijmans. 2017. (Cross-)Browser Fingerprinting via OS and Hardware Level Features. In 24th Annual Network and Distributed System Security Symposium, NDSS 2017, San Diego, California, USA, February 26-March 1, 2017. The Internet Society.
[3]
Quan Chen and Alexandros Kapravelos. 2018. Mystique: Uncovering Information Leakage from Browser Extensions. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (Toronto, Canada) (CCS '18). Association for Computing Machinery, New York, NY, USA, 1687--1700. https://doi.org/10.1145/3243734.3243823
[4]
Tom Van Goethem and Wouter Joosen. 2017. One Side-Channel to Bring Them All and in the Darkness Bind Them: Associating Isolated Browsing Sessions. In 11th USENIX Workshop on Offensive Technologies (WOOT 17). USENIX Association, Vancouver, BC. https://www.usenix.org/conference/woot17/workshop-program/presentation/van-goethem
[5]
Gabor Gyorgy Gulyas, Doliere Francis Some, Nataliia Bielova, and Claude Castelluccia. 2018. To Extend or Not to Extend: On the Uniqueness of Browser Extensions and Web Logins. In Proceedings of the 2018 Workshop on Privacy in the Electronic Society (Toronto, Canada) (WPES'18). Association for Computing Machinery, New York, NY, USA, 14--27. https://doi.org/10.1145/3267323.3268959
[6]
Umar Iqbal, Steven Englehardt, and Zubair Shafiq. 2021. Fingerprinting the Fingerprinters: Learning to Detect Browser Fingerprinting Behaviors. In 2021 IEEE Symposium on Security and Privacy (SP).
[7]
Alexandros Kapravelos, Chris Grier, Neha Chachra, Christopher Kruegel, Giovanni Vigna, and Vern Paxson. 2014. Hulk: Eliciting Malicious Behavior in Browser Extensions. In 23rd USENIX Security Symposium (USENIX Security 14). USENIX Association, San Diego, CA, 641--654. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/kapravelos
[8]
Soroush Karami, Panagiotis Ilia, Konstantinos Solomos, and Jason Polakis. 2020. Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting. In 27th Annual Network and Distributed System Security Symposium, NDSS 2020, San Diego, California, USA, February 23--26, 2020. The Internet Society.
[9]
Soroush Karami, Faezeh Kalantari, Mehrnoosh Zaeifi, Xavier J. Maso, Erik Trickel, Panagiotis Ilia, Yan Shoshitaishvili, Adam Doupé, and Jason Polakis. 2022. Unleash the Simulacrum: Shifting Browser Realities for Robust Extension-Fingerprinting Prevention. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 735--752. https://www.usenix.org/conference/usenixsecurity22/presentation/karami
[10]
Pierre Laperdrix, Nataliia Bielova, Benoit Baudry, and Gildas Avoine. 2020. Browser Fingerprinting: A Survey. ACM Trans. Web, Vol. 14, 2, Article 8 (April 2020), bibinfonumpages33 pages. https://doi.org/10.1145/3386040
[11]
Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. 2016. Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints. In 2016 IEEE Symposium on Security and Privacy (SP). 878--894. https://doi.org/10.1109/SP.2016.57
[12]
Pierre Laperdrix, Oleksii Starov, Quan Chen, Alexandros Kapravelos, and Nick Nikiforakis. 2021. Fingerprinting in Style: Detecting Browser Extensions via Injected Style Sheets. In 30th USENIX Security Symposium. Online, France. https://hal.archives-ouvertes.fr/hal-03152176
[13]
X. Lin, F. Araujo, T. Taylor, J. Jang, and J. Polakis. 2023. Fashion Faux Pas: Implicit Stylistic Fingerprints for Bypassing Browsers' Anti-Fingerprinting Defenses. In 2023 2023 IEEE Symposium on Security and Privacy (SP) (SP). IEEE Computer Society, Los Alamitos, CA, USA, 1640--1657. https://doi.org/10.1109/SP46215.2023.00094
[14]
Nick Nikiforakis, Alexandros Kapravelos, Wouter Joosen, Christopher Kruegel, Frank Piessens, and Giovanni Vigna. 2013. Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting. In 2013 IEEE Symposium on Security and Privacy. 541--555. https://doi.org/10.1109/SP.2013.43
[15]
Gaston Pugliese, Christian Riess, Freya Gassmann, and Zinaida Benenson. 2020. Long-Term Observation on Browser Fingerprinting: Users' Trackability and Perspective. Proceedings on Privacy Enhancing Technologies, Vol. 2020 (05 2020), 558--577. https://doi.org/10.2478/popets-2020-0041
[16]
Iskander Sanchez-Rola, Igor Santos, and Davide Balzarotti. 2017. Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, 679--694. https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/sanchez-rola
[17]
Alexander Sjösten, Steven Van Acker, and Andrei Sabelfeld. 2017. Discovering Browser Extensions via Web Accessible Resources. In Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy (Scottsdale, Arizona, USA) (CODASPY '17). Association for Computing Machinery, New York, NY, USA, 329--336. https://doi.org/10.1145/3029806.3029820
[18]
Alexander Sjösten, Steven Acker, Pablo Picazo-Sanchez, and Andrei Sabelfeld. 2019. Latex Gloves: Protecting Browser Extensions from Probing and Revelation Attacks. https://doi.org/10.14722/ndss.2019.23309
[19]
Konstantinos Solomos, Panagiotis Ilia, Soroush Karami, Nick Nikiforakis, and Jason Polakis. 2022a. The Dangers of Human Touch: Fingerprinting Browser Extensions through User Actions. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 717--733. https://www.usenix.org/conference/usenixsecurity22/presentation/solomos
[20]
Konstantinos Solomos, Panagiotis Ilia, Nick Nikiforakis, and Jason Polakis. 2022b. Escaping the Confines of Time: Continuous Browser Extension Fingerprinting Through Ephemeral Modifications. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (Los Angeles, CA, USA) (CCS '22). Association for Computing Machinery, New York, NY, USA, 2675--2688. https://doi.org/10.1145/3548606.3560576
[21]
Oleksii Starov, Pierre Laperdrix, Alexandros Kapravelos, and Nick Nikiforakis. 2019. Unnecessarily Identifiable: Quantifying the Fingerprintability of Browser Extensions Due to Bloat. In The World Wide Web Conference (San Francisco, CA, USA) (WWW '19). Association for Computing Machinery, New York, NY, USA, 3244--3250. https://doi.org/10.1145/3308558.3313458
[22]
O. Starov and N. Nikiforakis. 2017. XHOUND: Quantifying the Fingerprintability of Browser Extensions. In 2017 IEEE Symposium on Security and Privacy (SP). 941--956. https://doi.org/10.1109/SP.2017.18
[23]
Erik Trickel, Oleksii Starov, Alexandros Kapravelos, Nick Nikiforakis, and Adam Doupé. 2019. Everyone is Different: Client-side Diversification for Defending Against Extension Fingerprinting. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 1679--1696. https://www.usenix.org/conference/usenixsecurity19/presentation/trickel
[24]
Antoine Vastel, Pierre Laperdrix, Walter Rudametkin, and Romain Rouvoy. 2018. FP-STALKER: Tracking Browser Fingerprint Evolutions. In 2018 IEEE Symposium on Security and Privacy (SP). 728--741. https://doi.org/10.1109/SP.2018.00008
[25]
Michael Weissbacher, Enrico Mariconti, Guillermo Suarez-Tangil, Gianluca Stringhini, William Robertson, and Engin Kirda. 2017. Ex-Ray: Detection of History-Leaking Browser Extensions. In Annual Computer Security Applications Conference (ACSAC). event-place: San Juan, Puerto Rico.
Index Terms
- Extending Browser Extension Fingerprinting to Mobile Devices
Recommendations
Discovering Browser Extensions via Web Accessible Resources
CODASPY '17: Proceedings of the Seventh ACM on Conference on Data and Application Security and PrivacyBrowser extensions provide a powerful platform to enrich browsing experience. At the same time, they raise important security questions. From the point of view of a website, some browser extensions are invasive, removing intended features and adding ...
After you, please: browser extensions order attacks and countermeasures
AbstractBrowser extensions are small applications executed in the browser context that provide additional capabilities and enrich the user experience while surfing the web. The acceptance of extensions in current browsers is unquestionable. For instance, ...
Effective detection of vulnerable and malicious browser extensions
Unsafely coded browser extensions can compromise the security of a browser, making them attractive targets for attackers as a primary vehicle for conducting cyber-attacks. Among others, the three factors making vulnerable extensions a high-risk security ...
Comments
Information & Contributors
Information
Published In
November 2023
186 pages
Copyright © 2023 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 26 November 2023
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
CCS '23
Sponsor:
CCS '23: ACM SIGSAC Conference on Computer and Communications Security
November 26, 2023
Copenhagen, Denmark
Acceptance Rates
Overall Acceptance Rate 106 of 355 submissions, 30%
Upcoming Conference
CCS '24
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 192Total Downloads
- Downloads (Last 12 months)192
- Downloads (Last 6 weeks)39
Reflects downloads up to 15 Sep 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in