Touch and You’re Trapp(ck)ed: Quantifying the Uniqueness of Touch Gestures for Tracking

Rahat Masood 1 , Benjamin Zi Hao Zhao 2 , Hassan Jameel Asghar 3  and Mohamed Ali Kaafar 4
  • 1 CSIRO Data61, Sydney, Australia
  • 2 CSIRO Data61, Sydney, Australia
  • 3 CSIRO Data61, Sydney, Australia
  • 4 Macquarie University, Optus Macquarie University Cyber Security Hub, Sydney, Australia


We argue that touch-based gestures on touch-screen devices enable the threat of a form of persistent and ubiquitous tracking which we call touch-based tracking. Touch-based tracking goes beyond the tracking of virtual identities and has the potential for cross-device tracking as well as identifying multiple users using the same device. We demonstrate the likelihood of touch-based tracking by focusing on touch gestures widely used to interact with touch devices such as swipes and taps.. Our objective is to quantify and measure the information carried by touch-based gestures which may lead to tracking users. For this purpose, we develop an information theoretic method that measures the amount of information about users leaked by gestures when modelled as feature vectors. Our methodology allows us to evaluate the information leaked by individual features of gestures, samples of gestures, as well as samples of combinations of gestures. Through our purpose-built app, called TouchTrack, we gather gesture samples from 89 users, and demonstrate that touch gestures contain sufficient information to uniquely identify and track users. Our results show that writing samples (on a touch pad) can reveal 73.7% of information (when measured in bits), and left swipes can reveal up to 68.6% of information. Combining different combinations of gestures results in higher uniqueness, with the combination of keystrokes, swipes and writing revealing up to 98.5% of information about users. We further show that, through our methodology, we can correctly re-identify returning users with a success rate of more than 90%.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] C. Bo, L. Zhang, X.-Y. Li, Q. Huang, and Y. Wang. SilentSense: Silent User Identification via Dynamics of Touch and Movement Behavioral Biometrics. MobiCom ’13, page 187, 2013.

  • [2] H. Bojinov and Y. Michalevsky. Mobile Device Identification via Sensor Fingerprinting. arXiv preprint arXiv: . . ., 2014.

  • [3] D. Chaffey. How many connected devices do consumers use today?., 2016.

  • [4] T. Chen, A. Chaabane, P. U. Tournoux, M.-A. Kaafar, and R. Boreli. How much is too much? leveraging ads audience estimation to evaluate public profile uniqueness. In International Symposium on Privacy Enhancing Technologies Symposium, pages 225–244. Springer, 2013.

  • [5] M. Conti, I. Zachia-Zlatea, and B. Crispo. Mind how you answer me!: transparently authenticating the user of a smartphone when answering or placing a call. Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pages 249–259, 2011.

  • [6] J. Corripio, D. González, A. Orozco, L. Villalba, J. Hernandez-Castro, and S. Gibson. Source smartphone identification using sensor pattern noise and wavelet transform. 5th International Conference on Imaging for Crime Detection and Prevention, ICDP 2013, 2013.

  • [7] A. Das and N. Borisov. Poster : Fingerprinting Smartphones Through Speaker. 35th IEEE Symposium on Security and Provacy, pages 2–3, 2014.

  • [8] A. Das, N. Borisov, and M. Caesar. Do You Hear What I Hear?: Fingerprinting Smart Devices Through Embedded Acoustic Components. Ccs, pages 441–452, 2014.

  • [9] A. Das, N. Borisov, and M. Caesar. Tracking Mobile Web Users Through Motion Sensors : Attacks and Defenses. Ndss, (February):21–24, 2016.

  • [10] C. De Boor. A practical guide to splines, volume 27 of Applied mathematical sciences. Springer-Verlag New York, 1978.

  • [11] M. O. Derawi, C. Nickely, P. Bours, and C. Busch. Unobtrusive user-authentication on mobile phones using biometric gait recognition. Proceedings - 2010 6th International Conference on Intelligent Information Hiding and Multimedia Signal Processing, IIHMSP 2010, pages 306–311, 2010.

  • [12] S. Dey, N. Roy, W. Xu, R. R. Choudhury, and S. Nelakuditi. AccelPrint: Imperfections of Accelerometers Make Smartphones Trackable. Network and Distributed System Security Symposium (NDSS), (February):23–26, 2014.

  • [13] P. Eckersley. How Unique Is Your Browser? Proc. of the Privacy Enhancing Technologies Symposium (PETS), pages 1–18, 2010.

  • [14] M. Frank, R. Biedert, E. Ma, I. Martinovic, and D. Song. Touchalytics: On the applicability of touchscreen input as a behavioral biometric for continuous authentication. IEEE Transactions on Information Forensics and Security, 8(1):136–148, 2013.

  • [15] C. Giuffrida, K. Majdanik, M. Conti, and H. Bos. I sensed it was you: Authenticating mobile users with sensor-enhanced keystroke dynamics. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 8550 LNCS:92–111, 2014.

  • [16] M. Jakobsson, E. Shi, P. Golle, and R. Chow. Implicit authentication for mobile devices. Proceedings of the 4th USENIX conference on Hot topics in security (HotSec’09), page 9, 2009.

  • [17] P. Kang and S. Cho. Keystroke dynamics-based user authentication using long and free text strings from various input devices. Information Sciences, 308:72–93, 2015.

  • [18] T. Kohno, A. Broido, and K. C. Claffy. Remote physical device fingerprinting. IEEE Transactions on Dependable and Secure Computing, 2(2):93–108, 2005.

  • [19] A. Kurtz, H. Gascon, T. Becker, K. Rieck, and F. Freiling. Fingerprinting Mobile Devices Using Personalized Configurations. Proceedings on Privacy Enhancing Technologies, 2016(1):4–19, 2016.

  • [20] P. Laperdrix, W. Rudametkin, and B. Baudry. Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints. Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016, pages 878–894, 2016.

  • [21] E. Maiorana, P. Campisi, N. González-Carballo, and A. Neri. Keystroke dynamics authentication for mobile phones. Proceedings of the 2011 ACM Symposium on Applied Computing SAC 11, pages 21–26, 2011.

  • [22] J. R. Mayer. Internet Anonymity in the Age of Web 2.0. A Senior Thesis presented to the Faculty of the Woodrow Wilson School of Public and International Affairs in partial fulfillment of the requirements for the degree of Bachelor of Arts., page 103, 2009.

  • [23] Y. Meng, D. S. Wong, R. Schlegel, and L. F. Kwok. Touch gestures based biometric authentication scheme for touchscreen mobile phones. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 7763 LNCS:331–350, 2013.

  • [24] Ł. Olejnik, G. Acar, C. Castelluccia, and C. Diaz. The leaking battery: A privacy analysis of the HTML5 battery status API. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 9481:254–263, 2016.

  • [25] Ł. Olejnik, C. Castelluccia, and A. Janc. Why Johnny Can’t Browse in Peace: On the Uniqueness of Web Browsing History Patterns. 5th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs 2012), pages 1–16, 2012.

  • [26] H. Peng, F. Long, and C. Ding. Feature selection based on mutual information: Criteria of Max-Dependency, Max-Relevance, and Min-Redundancy. IEEE Transactions on Pattern Analysis and Machine Intelligence, 27(8):1226–1238, 2005.

  • [27] D. Perito, C. Castelluccia, M. A. Kaafar, and P. Manils. How unique and traceable are usernames? In International Symposium on Privacy Enhancing Technologies Symposium, pages 1–17. Springer, 2011.

  • [28] N. Sae-bae, N. Memon, K. Isbister, and K. Ahmed. Multitouch Gesture-Based Authentication can the system accurately distinguish between. 9(4):568–582, 2014.

  • [29] D. W. Scott. On optimal and data-based histograms. Biometrika, 66:605–610, 1979.

  • [30] S. Seneviratne, A. Seneviratne, P. Mohapatra, and A. Mahanti. Predicting user traits from a snapshot of apps installed on a smartphone. Mobile Computing and Communications Review, 18(2):1–8, 2014.

  • [31] M. Shahzad, A. X. Liu, and A. Samuel. Secure Unlocking of Mobile Touch Screen Devices by Simple Gestures – You can see it but you can not do it. Proc. of MobiCom, page 39, 2013.

  • [32] M. Sherman, G. Clark, Y. Yang, S. Sugrim, A. Modig, J. Lindqvist, A. Oulasvirta, and T. Roos. User-generated free-form gestures for authentication: Security and memorability. In Proceedings of the 12th annual international conference on Mobile systems, applications, and services, pages 176–189. ACM, 2014.

  • [33] E. Shi, Y. Niu, M. Jakobsson, and R. Chow. Implicit authentication through learning user behavior. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 6531 LNCS:99–113, 2011.

  • [34] L. Sweeney. Simple demographics often identify people uniquely. Carnegie Mellon University, Data Privacy Working Paper 3. Pittsburgh 2000, pages 1–34, 2000.

  • [35] M. Tamviruzzaman, S. I. Ahamed, C. S. Hasan, and C. O’brien. ePet:when cellular phone learns to recognize its owner. Proceedings of the 2nd ACM workshop on Assurable and usable security configuration - SafeConfig ’09, page 13, 2009.

  • [36] C. M. Tey, P. Gupta, and D. Gao. I can be You: Questioning the use of Keystroke Dynamics as Biometrics. 20th Annual Network and Distributed System Security Symposium - NDSS ’13, pages 1 – 16, 2013.

  • [37] H. Xu, Y. Zhou, and M. R. Lyu. Towards Continuous and Passive Authentication via Touch Biometrics: An Experimental Study on Smartphones. SOUPS ’14: Proceedings of the Tenth Symposium On Usable Privacy and Security, pages 187–198, 2014.

  • [38] T.-F. Yen, Y. Xie, F. Yu, R. P. Yu, and M. Abadi. Host Fingerprinting and Tracking on the Web: Privacy and Security Implications. Network and Distributed System Security Symposium, pages 1–16, 2012.

  • [39] S. Zahid, M. Shahzad, S. A. Khayam, and M. Farooq. Keystroke-based User Identification on Smart Phones.pdf. pages 1–18.

  • [40] X. Zhao, T. Feng, and W. Shi. Continuous mobile authentication using a novel Graphic Touch Gesture Feature. IEEE 6th International Conference on Biometrics: Theory, Applications and Systems, BTAS 2013, 2013.

  • [41] N. Zheng, K. Bai, H. Huang, and H. Wang. You are how you touch: User verification on smartphones via tapping behaviors. Proceedings - International Conference on Network Protocols, ICNP, pages 221–232, 2014.

  • [42] Z. Zhou, W. Diao, X. Liu, and K. Zhang. Acoustic Fingerprinting Revisited: Generate Stable Device ID Stealthily with Inaudible Sound. Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security - CCS ’14, pages 429–440, 2014.


Journal + Issues