Touch and You’re Trapp(ck)ed: Quantifying the Uniqueness of Touch Gestures for Tracking

Open access


We argue that touch-based gestures on touch-screen devices enable the threat of a form of persistent and ubiquitous tracking which we call touch-based tracking. Touch-based tracking goes beyond the tracking of virtual identities and has the potential for cross-device tracking as well as identifying multiple users using the same device. We demonstrate the likelihood of touch-based tracking by focusing on touch gestures widely used to interact with touch devices such as swipes and taps.. Our objective is to quantify and measure the information carried by touch-based gestures which may lead to tracking users. For this purpose, we develop an information theoretic method that measures the amount of information about users leaked by gestures when modelled as feature vectors. Our methodology allows us to evaluate the information leaked by individual features of gestures, samples of gestures, as well as samples of combinations of gestures. Through our purpose-built app, called TouchTrack, we gather gesture samples from 89 users, and demonstrate that touch gestures contain sufficient information to uniquely identify and track users. Our results show that writing samples (on a touch pad) can reveal 73.7% of information (when measured in bits), and left swipes can reveal up to 68.6% of information. Combining different combinations of gestures results in higher uniqueness, with the combination of keystrokes, swipes and writing revealing up to 98.5% of information about users. We further show that, through our methodology, we can correctly re-identify returning users with a success rate of more than 90%.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] C. Bo L. Zhang X.-Y. Li Q. Huang and Y. Wang. SilentSense: Silent User Identification via Dynamics of Touch and Movement Behavioral Biometrics. MobiCom ’13 page 187 2013.

  • [2] H. Bojinov and Y. Michalevsky. Mobile Device Identification via Sensor Fingerprinting. arXiv preprint arXiv: . . . 2014.

  • [3] D. Chaffey. How many connected devices do consumers use today?. 2016.

  • [4] T. Chen A. Chaabane P. U. Tournoux M.-A. Kaafar and R. Boreli. How much is too much? leveraging ads audience estimation to evaluate public profile uniqueness. In International Symposium on Privacy Enhancing Technologies Symposium pages 225–244. Springer 2013.

  • [5] M. Conti I. Zachia-Zlatea and B. Crispo. Mind how you answer me!: transparently authenticating the user of a smartphone when answering or placing a call. Proceedings of the 6th ACM Symposium on Information Computer and Communications Security pages 249–259 2011.

  • [6] J. Corripio D. González A. Orozco L. Villalba J. Hernandez-Castro and S. Gibson. Source smartphone identification using sensor pattern noise and wavelet transform. 5th International Conference on Imaging for Crime Detection and Prevention ICDP 2013 2013.

  • [7] A. Das and N. Borisov. Poster : Fingerprinting Smartphones Through Speaker. 35th IEEE Symposium on Security and Provacy pages 2–3 2014.

  • [8] A. Das N. Borisov and M. Caesar. Do You Hear What I Hear?: Fingerprinting Smart Devices Through Embedded Acoustic Components. Ccs pages 441–452 2014.

  • [9] A. Das N. Borisov and M. Caesar. Tracking Mobile Web Users Through Motion Sensors : Attacks and Defenses. Ndss (February):21–24 2016.

  • [10] C. De Boor. A practical guide to splines volume 27 of Applied mathematical sciences. Springer-Verlag New York 1978.

  • [11] M. O. Derawi C. Nickely P. Bours and C. Busch. Unobtrusive user-authentication on mobile phones using biometric gait recognition. Proceedings - 2010 6th International Conference on Intelligent Information Hiding and Multimedia Signal Processing IIHMSP 2010 pages 306–311 2010.

  • [12] S. Dey N. Roy W. Xu R. R. Choudhury and S. Nelakuditi. AccelPrint: Imperfections of Accelerometers Make Smartphones Trackable. Network and Distributed System Security Symposium (NDSS) (February):23–26 2014.

  • [13] P. Eckersley. How Unique Is Your Browser? Proc. of the Privacy Enhancing Technologies Symposium (PETS) pages 1–18 2010.

  • [14] M. Frank R. Biedert E. Ma I. Martinovic and D. Song. Touchalytics: On the applicability of touchscreen input as a behavioral biometric for continuous authentication. IEEE Transactions on Information Forensics and Security 8(1):136–148 2013.

  • [15] C. Giuffrida K. Majdanik M. Conti and H. Bos. I sensed it was you: Authenticating mobile users with sensor-enhanced keystroke dynamics. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) 8550 LNCS:92–111 2014.

  • [16] M. Jakobsson E. Shi P. Golle and R. Chow. Implicit authentication for mobile devices. Proceedings of the 4th USENIX conference on Hot topics in security (HotSec’09) page 9 2009.

  • [17] P. Kang and S. Cho. Keystroke dynamics-based user authentication using long and free text strings from various input devices. Information Sciences 308:72–93 2015.

  • [18] T. Kohno A. Broido and K. C. Claffy. Remote physical device fingerprinting. IEEE Transactions on Dependable and Secure Computing 2(2):93–108 2005.

  • [19] A. Kurtz H. Gascon T. Becker K. Rieck and F. Freiling. Fingerprinting Mobile Devices Using Personalized Configurations. Proceedings on Privacy Enhancing Technologies 2016(1):4–19 2016.

  • [20] P. Laperdrix W. Rudametkin and B. Baudry. Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints. Proceedings - 2016 IEEE Symposium on Security and Privacy SP 2016 pages 878–894 2016.

  • [21] E. Maiorana P. Campisi N. González-Carballo and A. Neri. Keystroke dynamics authentication for mobile phones. Proceedings of the 2011 ACM Symposium on Applied Computing SAC 11 pages 21–26 2011.

  • [22] J. R. Mayer. Internet Anonymity in the Age of Web 2.0. A Senior Thesis presented to the Faculty of the Woodrow Wilson School of Public and International Affairs in partial fulfillment of the requirements for the degree of Bachelor of Arts. page 103 2009.

  • [23] Y. Meng D. S. Wong R. Schlegel and L. F. Kwok. Touch gestures based biometric authentication scheme for touchscreen mobile phones. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) 7763 LNCS:331–350 2013.

  • [24] Ł. Olejnik G. Acar C. Castelluccia and C. Diaz. The leaking battery: A privacy analysis of the HTML5 battery status API. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) 9481:254–263 2016.

  • [25] Ł. Olejnik C. Castelluccia and A. Janc. Why Johnny Can’t Browse in Peace: On the Uniqueness of Web Browsing History Patterns. 5th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs 2012) pages 1–16 2012.

  • [26] H. Peng F. Long and C. Ding. Feature selection based on mutual information: Criteria of Max-Dependency Max-Relevance and Min-Redundancy. IEEE Transactions on Pattern Analysis and Machine Intelligence 27(8):1226–1238 2005.

  • [27] D. Perito C. Castelluccia M. A. Kaafar and P. Manils. How unique and traceable are usernames? In International Symposium on Privacy Enhancing Technologies Symposium pages 1–17. Springer 2011.

  • [28] N. Sae-bae N. Memon K. Isbister and K. Ahmed. Multitouch Gesture-Based Authentication can the system accurately distinguish between. 9(4):568–582 2014.

  • [29] D. W. Scott. On optimal and data-based histograms. Biometrika 66:605–610 1979.

  • [30] S. Seneviratne A. Seneviratne P. Mohapatra and A. Mahanti. Predicting user traits from a snapshot of apps installed on a smartphone. Mobile Computing and Communications Review 18(2):1–8 2014.

  • [31] M. Shahzad A. X. Liu and A. Samuel. Secure Unlocking of Mobile Touch Screen Devices by Simple Gestures – You can see it but you can not do it. Proc. of MobiCom page 39 2013.

  • [32] M. Sherman G. Clark Y. Yang S. Sugrim A. Modig J. Lindqvist A. Oulasvirta and T. Roos. User-generated free-form gestures for authentication: Security and memorability. In Proceedings of the 12th annual international conference on Mobile systems applications and services pages 176–189. ACM 2014.

  • [33] E. Shi Y. Niu M. Jakobsson and R. Chow. Implicit authentication through learning user behavior. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) 6531 LNCS:99–113 2011.

  • [34] L. Sweeney. Simple demographics often identify people uniquely. Carnegie Mellon University Data Privacy Working Paper 3. Pittsburgh 2000 pages 1–34 2000.

  • [35] M. Tamviruzzaman S. I. Ahamed C. S. Hasan and C. O’brien. ePet:when cellular phone learns to recognize its owner. Proceedings of the 2nd ACM workshop on Assurable and usable security configuration - SafeConfig ’09 page 13 2009.

  • [36] C. M. Tey P. Gupta and D. Gao. I can be You: Questioning the use of Keystroke Dynamics as Biometrics. 20th Annual Network and Distributed System Security Symposium - NDSS ’13 pages 1 – 16 2013.

  • [37] H. Xu Y. Zhou and M. R. Lyu. Towards Continuous and Passive Authentication via Touch Biometrics: An Experimental Study on Smartphones. SOUPS ’14: Proceedings of the Tenth Symposium On Usable Privacy and Security pages 187–198 2014.

  • [38] T.-F. Yen Y. Xie F. Yu R. P. Yu and M. Abadi. Host Fingerprinting and Tracking on the Web: Privacy and Security Implications. Network and Distributed System Security Symposium pages 1–16 2012.

  • [39] S. Zahid M. Shahzad S. A. Khayam and M. Farooq. Keystroke-based User Identification on Smart Phones.pdf. pages 1–18.

  • [40] X. Zhao T. Feng and W. Shi. Continuous mobile authentication using a novel Graphic Touch Gesture Feature. IEEE 6th International Conference on Biometrics: Theory Applications and Systems BTAS 2013 2013.

  • [41] N. Zheng K. Bai H. Huang and H. Wang. You are how you touch: User verification on smartphones via tapping behaviors. Proceedings - International Conference on Network Protocols ICNP pages 221–232 2014.

  • [42] Z. Zhou W. Diao X. Liu and K. Zhang. Acoustic Fingerprinting Revisited: Generate Stable Device ID Stealthily with Inaudible Sound. Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security - CCS ’14 pages 429–440 2014.

Journal information
Cited By
All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 2085 1000 40
PDF Downloads 878 311 11