TY - GEN
T1 - Location-leaking through Network Traffic in Mobile Augmented Reality Applications
AU - Meyer-Lee, Gabriel
AU - Shang, Jiacheng
AU - Wu, Jie
N1 - Publisher Copyright:
© 2018 IEEE.
PY - 2018/7/2
Y1 - 2018/7/2
N2 - Mobile Augmented Reality (AR) applications allow the user to interact with virtual objects positioned within the real world via a smart phone, tablet or smart glasses. As the popularity of these applications grows, recent researchers have identified several security and privacy issues pertaining to the collection and storage of sensitive data from device sensors. Location-based AR applications typically not only collect user location data, but transmit it to a remote server in order to download nearby virtual content. In this paper we show that the pattern of network traffic generated by this process alone can be used to infer the user's location. We demonstrate a side-channel attack against a widely available Mobile AR application inspired by Website Fingerprinting methods. Through the strategic placement of virtual content and prerecording of the network traffic produced by interacting with this content, we are able to identify the location of a user within the target area with an accuracy of 94%. This finding reveals a previously unexplored vulnerability in the implementation of Mobile AR applications and we offer several recommendations to mitigate this threat.
AB - Mobile Augmented Reality (AR) applications allow the user to interact with virtual objects positioned within the real world via a smart phone, tablet or smart glasses. As the popularity of these applications grows, recent researchers have identified several security and privacy issues pertaining to the collection and storage of sensitive data from device sensors. Location-based AR applications typically not only collect user location data, but transmit it to a remote server in order to download nearby virtual content. In this paper we show that the pattern of network traffic generated by this process alone can be used to infer the user's location. We demonstrate a side-channel attack against a widely available Mobile AR application inspired by Website Fingerprinting methods. Through the strategic placement of virtual content and prerecording of the network traffic produced by interacting with this content, we are able to identify the location of a user within the target area with an accuracy of 94%. This finding reveals a previously unexplored vulnerability in the implementation of Mobile AR applications and we offer several recommendations to mitigate this threat.
KW - Augmented Reality
KW - data privacy
KW - mobile applications
UR - http://www.scopus.com/inward/record.url?scp=85066490117&partnerID=8YFLogxK
U2 - 10.1109/PCCC.2018.8711065
DO - 10.1109/PCCC.2018.8711065
M3 - Conference contribution
AN - SCOPUS:85066490117
T3 - 2018 IEEE 37th International Performance Computing and Communications Conference, IPCCC 2018
BT - 2018 IEEE 37th International Performance Computing and Communications Conference, IPCCC 2018
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 37th IEEE International Performance Computing and Communications Conference, IPCCC 2018
Y2 - 17 November 2018 through 19 November 2018
ER -