1. bookVolume 2021 (2021): Issue 4 (October 2021)
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
access type Open Access

ZKSENSE: A Friction-less Privacy-Preserving Human Attestation Mechanism for Mobile Devices

Published Online: 23 Jul 2021
Page range: 6 - 29
Received: 28 Feb 2021
Accepted: 16 Jun 2021
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
Abstract

Recent studies show that 20.4% of the internet traffic originates from automated agents. To identify and block such ill-intentioned traffic, mechanisms that verify the humanness of the user are widely deployed, with CAPTCHAs being the most popular. Traditional CAPTCHAs require extra user effort (e.g., solving mathematical puzzles), which can severely downgrade the end-user’s experience, especially on mobile, and provide sporadic humanness verification of questionable accuracy. More recent solutions like Google’s reCAPTCHA v3, leverage user data, thus raising significant privacy concerns. To address these issues, we present zkSENSE: the first zero-knowledge proof-based humanness attestation system for mobile devices. zkSENSE moves the human attestation to the edge: onto the user’s very own device, where humanness of the user is assessed in a privacy-preserving and seamless manner. zkSENSE achieves this by classifying motion sensor outputs of the mobile device, based on a model trained by using both publicly available sensor data and data collected from a small group of volunteers. To ensure the integrity of the process, the classification result is enclosed in a zero-knowledge proof of humanness that can be safely shared with a remote server. We implement zkSENSE as an Android service to demonstrate its effectiveness and practicality. In our evaluation, we show that zkSENSE successfully verifies the humanness of a user across a variety of attacking scenarios and demonstrate 92% accuracy. On a two years old Samsung S9, zkSENSE’s attestation takes around 3 seconds (when visual CAPTCHAs need 9.8 seconds) and consumes a negligible amount of battery.

Keywords

[1] Matthew Hughes. Bots drove nearly 40% of internet traffic last year - and the naughty ones are getting smarter. https://thenextweb.com/security/2019/04/17/bots-drove-nearly-40-of-internet-traffic-last-year-and-the-naughty-ones-are-getting-smarter/, 2019. Search in Google Scholar

[2] Shailin Dhar Mikko Kotila, Ruben Cuevas Rumin. Compendium of ad fraud knowledge for media investors. https://www.wfanet.org/app/uploads/2017/04/WFA_Compendium_Of_Ad_Fraud_Knowledge.pdf, 2017. Search in Google Scholar

[3] ThreatMetrix. H2 2018 cybercrime report. https://www.threatmetrix.com/info/h2-2018-cybercrime-report/, 2018. Search in Google Scholar

[4] Drew Phillips. What is securimage? https://www.phpcaptcha.org/, 2015. Search in Google Scholar

[5] Intuition Machines, Inc. hcaptcha: Earn money with a captcha. https://www.hcaptcha.com, 2019. Search in Google Scholar

[6] Roberto Iriondo. Breaking captcha using machine learning in 0.05 seconds. https://medium.com/towards-artificial-intelligence/breaking-captcha-using-machine-learning-in-0-05-seconds-9feefb997694, 2018. Search in Google Scholar

[7] Suphannee Sivakorn, Iasonas Polakis, and Angelos D Keromytis. I am robot:(deep) learning to break semantic image captchas. In 2016 IEEE European Symposium on Security and Privacy (EuroS&P), pages 388–403. IEEE, 2016. Search in Google Scholar

[8] Jeff Yan and Ahmad Salah El Ahmad. A Low-cost Attack on a Microsoft CAPTCHA. In Proceedings of the 15th ACM conference on Computer and communications security, pages 543–554. ACM, 2008. Search in Google Scholar

[9] Jarrod Overson. Bypassing captchas with headless chrome. https://medium.com/@jsoverson/bypassing-captchas-with-headless-chrome-93f294518337, 2018. Search in Google Scholar

[10] Kevin Bock, Daven Patel, George Hughey, and Dave Levin. uncaptcha: a low-resource defeat of recaptcha’s audio challenge. In 11th USENIX Workshop on Offensive Technologies (WOOT 17), 2017. Search in Google Scholar

[11] Ruti Gafni and Idan Nagar. Captcha–security affecting user experience. Issues in Informing Science and Information Technology, 13:063–077, 2016. Search in Google Scholar

[12] Josh Dzieza. Why captchas have gotten so difficult. https://www.theverge.com/2019/2/1/18205610/google-captchaai-robot-human-difficult-artificial-intelligence, 2019. Search in Google Scholar

[13] Scott Hollier, Janina Sajka, Jason White, and Michael Cooper. Inaccessibility of captcha: Alternatives to visual turing tests on the web. https://www.w3.org/TR/turingtest/, 2019. Search in Google Scholar

[14] Wei Liu. Introducing recaptcha v3: the new way to stop bots. https://webmasters.googleblog.com/2018/10/introducing-recaptcha-v3-new-way-to.html, 2018. Search in Google Scholar

[15] FreePrivacyPolicy. Privacy policy for recaptcha. https://www.freeprivacypolicy.com/blog/recaptcha-privacy-policy/, 2019. Search in Google Scholar

[16] Thomas Claburn. Google’s recaptcha favors – you guessed it – google: Duh, only a bot would refuse to sign into the chocolate factory. https://www.theregister.co.uk/2019/06/28/google_recaptcha_favoring_google/, 2019. Search in Google Scholar

[17] Katharine Schwab. Google’s new recaptcha has a dark side. https://www.fastcompany.com/90369697/googles-newrecaptcha-has-a-dark-side, 2019. Search in Google Scholar

[18] Ismail Akrout, Amal Feriani, and Mohamed Akrout. Hacking Google reCAPTCHA v3 using Reinforcement Learning. 2019. Search in Google Scholar

[19] Meriem Guerar, Alessio Merlo, Mauro Migliardi, and Francesco Palmieri. Invisible CAPPCHA: A usable mechanism to distinguish between malware and humans on the mobile IoT. Computers and Security, 78:255–266, 2018. Search in Google Scholar

[20] Muhammad Asim Jamshed, Wonho Kim, and KyoungSoo Park. Suppressing bot traffic with accurate human attestation. In Proceedings of the first ACM asia-pacific workshop on Workshop on systems, pages 43–48, 2010. Search in Google Scholar

[21] Tim Allen. Having a captcha is killing your conversion rate. https://moz.com/blog/having-a-captcha-is-killing-your-conversion-rate, 2013. Search in Google Scholar

[22] Google. Safetynet recaptcha api. https://developer.android.com/training/safetynet/recaptcha, 2021. Search in Google Scholar

[23] Elie Bursztein, Steven Bethard, Celine Fabry, John C Mitchell, and Dan Jurafsky. How good are humans at solving captchas? a large scale evaluation. In 2010 IEEE symposium on security and privacy, 2010. Search in Google Scholar

[24] Ivan Enríquez. Why is captcha killing your conversion rate? https://blog.arengu.com/why-captcha-is-killing-your-conversion-rate/, 2019. Search in Google Scholar

[25] Richard Kahn. How the use of captcha can hurt user experience. https://www.anura.io/blog/how-the-use-of-captchacan-hurt-user-experience, 2020. Search in Google Scholar

[26] Interaction Design Foundation. Killing the captcha for better ux. https://www.interaction-design.org/literature/article/killing-the-captcha-for-better-ux, 2016. Search in Google Scholar

[27] Meriem Guerar, Mauro Migliardi, Alessio Merlo, Mohamed Benmohammed, and Belhadri Messabih. A completely automatic public physical test to tell computers and humans apart: A way to enhance authentication schemes in mobile devices. In 2015 International Conference on High Performance Computing & Simulation (HPCS), 2015. Search in Google Scholar

[28] Thomas Hupperich, Katharina Krombholz, and Thorsten Holz. Sensor Captchas: On the Usability of Instrumenting Hardware Sensors to Prove Liveliness. In International Conference on Trust and Trustworthy Computing, 2016. Search in Google Scholar

[29] Babins Shrestha, Nitesh Saxena, and Justin Harrison. Wave-to-Access: Protecting Sensitive Mobile Device Services via a Hand Waving Gesture. In Michel Abdalla, Cristina Nita-Rotaru, and Ricardo Dahab, editors, Cryptology and Network Security, 2013. Search in Google Scholar

[30] Anupam Das, Nikita Borisov, and Matthew Caesar. Tracking mobile web users through motion sensors: Attacks and defenses. In NDSS, 2016. Search in Google Scholar

[31] Jorge-L. Reyes-Ortiz, Luca Oneto, Albert Samà, Xavier Parra, and Davide Anguita. Transition-Aware Human Activity Recognition Using Smartphones. Neurocomputing, 2016. Search in Google Scholar

[32] Rubén San-Segundo, Henrik Blunck, José Moreno-Pimentel, Allan Stisen, and Manuel Gil-Martín. Robust Human Activity Recognition using smartwatches and smartphones. Engineering Applications of Artificial Intelligence, 2018. Search in Google Scholar

[33] Mohammad Malekzadeh, Richard G Clegg, Andrea Cavallaro, and Hamed Haddadi. Protecting Sensory Data Against Sensitive Inferences. In Proceedings of the 1st Workshop on Privacy by Design in Distributed Systems, W-P2DS’18. Search in Google Scholar

[34] Erhan Davarci, Betul Soysal, Imran Erguler, Sabri Orhun Aydin, Onur Dincer, and Emin Anarim. Age group detection using smartphone motion sensors. In 2017 25th European Signal Processing Conference (EUSIPCO), 2017. Search in Google Scholar

[35] Jiexin Zhang, Alastair R Beresford, and Ian Sheret. SensorID: Sensor Calibration Fingerprinting for Smartphones. In Proceedings of the 40th IEEE Symposium on Security and Privacy (SP). IEEE, 5 2019. Search in Google Scholar

[36] Elias P. Papadopoulos, Michalis Diamantaris, Panagiotis Papadopoulos, Thanasis Petsas, Sotiris Ioannidis, and Evangelos P. Markatos. The long-standing privacy debate: Mobile websites vs mobile apps. In Proceedings of the 26th International Conference on World Wide Web, WWW ’17, 2017. Search in Google Scholar

[37] World Wide Web Consortium (W3C). Captcha alternatives and thoughts. https://www.w3.org/WAI/GL/wiki/Captcha_Alternatives_and_thoughts, 2019. Search in Google Scholar

[38] Web Accessibility In Mind (WebAIM). Screen reader user survey #7 results. https://webaim.org/projects/screenreadersurvey7/, 2017. Search in Google Scholar

[39] Armin Sebastian. Buster: Captcha solver for humans. https://github.com/dessant/buster, 2019. Search in Google Scholar

[40] Jennifer Tam, Jiri Simsa, Sean Hyde, and Luis V Ahn. Breaking audio captchas. In Advances in Neural Information Processing Systems, pages 1625–1632, 2009. Search in Google Scholar

[41] Yuanxi Ou. What is shuabang, and should i be using it to promote my game? https://www.mobvista.com/en/blog/shuabang-using-promote-game/, 2018. Search in Google Scholar

[42] Cristina Stefanova. Black hat aso for mobile apps & games: What is it and how it works (and why you shouldn’t do it). https://thetool.io/2018/black-hat-aso, 2018. Search in Google Scholar

[43] Gabriel Machuret. Blackhat aso news 2016: Shuabang – a notorious blackhat app store optimization provider in china. https://asoprofessional.com/blackhat-aso-news-2016-shuabang-a-notorious-blackhat-app-store-optimization-provider-in-china/, 2020. Search in Google Scholar

[44] Brave Software, Inc. Get rewarded for browsing and support your favorite content creators. https://brave.com/brave-rewards/, 2019. Search in Google Scholar

[45] Anton Kivva. The banker that can steal anything. https://securelist.com/the-banker-that-can-steal-anything/76101/, 2016. Search in Google Scholar

[46] Mike Murray. Pegasus for android: the other side of the story emerges. https://blog.lookout.com/pegasus-android, 2017. Search in Google Scholar

[47] Henry de Valence, Jack Grigg, George Tankersley, Filippo Valsorda, and Isis Lovecruft. The ristretto255 Group. Internet-Draft draft-hdevalence-cfrg-ristretto-01, Internet Engineering Task Force. Search in Google Scholar

[48] Isis Agora Lovecruft and Henry de Valence. curve25519-dalek. https://crates.io/crates/curve25519-dalek, 2020. Search in Google Scholar

[49] S Goldwasser, S Micali, and C Rackoff. The knowledge complexity of interactive proof-systems. In Proceedings of the Seventeenth Annual ACM Symposium on Theory of Computing, STOC ’85, 1985. Search in Google Scholar

[50] Manuel Blum, Paul Feldman, and Silvio Micali. Noninteractive zero-knowledge and its applications. In Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, STOC ’88, 1988. Search in Google Scholar

[51] Matteo Varvello, Iñigo Querejeta Azurmendi, Antonio Nappa, Panagiotis Papadopoulos, Goncalo Pestana, and Benjamin Livshits. Vpn0: A privacy-preserving decentralized virtual private network. In Decentralising the Internet with IPFS and Filecoin, DI2F’21, 2021. Search in Google Scholar

[52] Eli Ben-sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer, and Madars Virza. Zerocash: Decentralized anonymous payments from bitcoin. 2014. Search in Google Scholar

[53] Nick Grosz. How icash protects delegate votes and identities in its proof of trust protocol. https://medium.com/@nickgrosz/how-icash-protects-votes-and-voter-identity-inits-proof-of-trust-protocol-7a06c38e4296, 2018. Search in Google Scholar

[54] Gonçalo Pestana, Iñigo Querejeta-Azurmendi, Panagiotis Papadopoulos, and Benjamin Livshits. Themis: Decentralized and trustless ad platform with reporting integrity. arXiv preprint arXiv:2007.05556, 2020. Search in Google Scholar

[55] Jan Camenisch and Markus Stadler. Efficient Group Signature Schemes for Large Groups (Extended Abstract). In CRYPTO, 1997. Search in Google Scholar

[56] Jens Groth. On the size of pairing-based non-interactive arguments. In Proceedings, Part II, of the 35th Annual International Conference on Advances in Cryptology, EURO-CRYPT’16, 2016. Search in Google Scholar

[57] Mary Maller, Sean Bowe, Markulf Kohlweiss, and Sarah Meiklejohn. Sonic: Zero-knowledge snarks from linear-size universal and updateable structured reference strings. Cryptology ePrint Archive, Report 2019/099, 2019. https://eprint.iacr.org/2019/099. Search in Google Scholar

[58] Ariel Gabizon, Zachary J. Williamson, and Oana Ciobotaru. Plonk: Permutations over lagrange-bases for oecumenical noninteractive arguments of knowledge. Cryptology ePrint Archive, Report 2019/953, 2019. https://eprint.iacr.org/2019/953. Search in Google Scholar

[59] B. Bünz, J. Bootle, D. Boneh, A. Poelstra, P. Wuille, and G. Maxwell. Bulletproofs: Short proofs for confidential transactions and more. In 2018 IEEE Symposium on Security and Privacy (SP), 2018. Search in Google Scholar

[60] Jonathan Bootle, Andrea Cerulli, Pyrros Chaidos, Jens Groth, and Christophe Petit. Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. Cryptology ePrint Archive, Report 2016/263, 2016. https://eprint.iacr.org/2016/263. Search in Google Scholar

[61] Torben P. Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing. In Proceedings of the 11th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO ’91, 1991. Search in Google Scholar

[62] Jens Groth. Linear algebra with sub-linear zero-knowledge arguments. In Shai Halevi, editor, Advances in Cryptology -CRYPTO 2009, 2009. Search in Google Scholar

[63] Jan Camenisch and Markus Michels. Proving in zero-knowledge that a number is the product of two safe primes. In Jacques Stern, editor, Advances in Cryptology — EURO-CRYPT ’99, 1999. Search in Google Scholar

[64] Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identification and signature problems. In Andrew M. Odlyzko, editor, Advances in Cryptology — CRYPTO’ 86, 1987. Search in Google Scholar

[65] Nathan Dowlin, Ran Gilad-Bachrach, Kim Laine, Kristin Lauter, Michael Naehrig, and John Wernsing. CryptoNets: Applying Neural Networks to Encrypted Data with High Throughput and Accuracy. In Proceedings of the 33rd International Conference on International Conference on Machine Learning, ICML’16, 2016. Search in Google Scholar

[66] Thore Graepel, Kristin Lauter, and Michael Naehrig. ML Confidential: Machine Learning on Encrypted Data. In Lecture notes in computer science, volume 7839, 2012. Search in Google Scholar

[67] Joppe Bos, Kristin Lauter, and Michael Naehrig. Private Predictive Analysis on Encrypted Medical Data. Technical Report MSR-TR-2013-81, 9 2013. Search in Google Scholar

[68] Android Developers. Android debug bridge (adb). https://developer.android.com/studio/command-line/adb, 2020. Search in Google Scholar

[69] Henry de Valence, Cathie Yun, and Oleg Andreev. Bullet-proofs. https://crates.io/crates/bulletproofs, 2020. Search in Google Scholar

[70] Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. CCS ’93, 1993. Search in Google Scholar

[71] ZoKrates community. Zokrates: A toolbox for zksnarks on ethereum. https://github.com/Zokrates/ZoKrates, 2019. Search in Google Scholar

[72] str4d. Bellman: Zero-knowledge cryptography in rust. https://github.com/zkcrypto/bellman, 2016. Search in Google Scholar

[73] Matteo Varvello, Kleomenis Katevas, Mihai Plesa, Hamed Haddadi, and Benjamin Livshits. BatteryLab: a distributed power monitoring platform for mobile devices. In HotNets ’19, 2019. Search in Google Scholar

[74] BatteryLab. A Distributed Platform for Battery Measurements. https://batterylab.dev, 2019. Search in Google Scholar

[75] Monsoon Solutions Inc. High voltage power monitor. https://www.msoon.com/online-store/High-Voltage-Power-Monitor-Part-Number-AAA10F-p90002590, 2019. Search in Google Scholar

[76] Jory Mackay. Screen time stats 2019: Here’s how much you use your phone during the workday. https://blog.rescuetime.com/screen-time-stats-2018/, 2019. Search in Google Scholar

[77] Alex Davidson. The privacy pass protocol. https://tools.ietf.org/html/draft-privacy-pass-00, 2019. Search in Google Scholar

[78] Solly Ross Joel Martin, Samuel Mannehed and Pierre Ossman. Novnc: Html vnc client library and application. https://github.com/Genymobile/scrcpy, 2021. Search in Google Scholar

[79] Novnc - the open source vnc client. https://github.com/novnc/noVNC, 2021. Search in Google Scholar

[80] A A Chandavale, A M Sapkal, and R M Jalnekar. Algorithm to Break Visual CAPTCHA. In 2009 Second International Conference on Emerging Trends in Engineering Technology, pages 258–262, 12 2009. Search in Google Scholar

[81] Ian J Goodfellow, Yaroslav Bulatov, Julian Ibarz, Sacha Arnoud, and Vinay Shet. Multi-digit number recognition from street view imagery using deep convolutional neural networks. arXiv preprint arXiv:1312.6082, 2013. Search in Google Scholar

[82] Aimilia Tasidou, Pavlos S Efraimidis, Yannis Soupionis, Lilian Mitrou, and Vasilios Katos. User-centric, Privacy-Preserving Adaptation for VoIP CAPTCHA Challenges. 2012. Search in Google Scholar

[83] Google. Are you a robot? Introducing “No CAPTCHA re-CAPTCHA”. https://security.googleblog.com/2014/12/are-you-robot-introducing-no-captcha.html, 2014. Search in Google Scholar

[84] Yuan Zhou, Zesun Yang, Chenxu Wang, and Matthew Boutell. Breaking Google reCaptcha V2. J. Comput. Sci. Coll., 34(1):126–136, 10 2018. Search in Google Scholar

[85] Chamila Walgampaya, Mehmed Kantardzic, and Roman Yampolskiy. Real time click fraud prevention using multilevel data fusion. In Proceedings of the World Congress on Engineering and Computer Science, 2010. Search in Google Scholar

[86] Gerardo Reynaga and Sonia Chiasson. The usability of CAPTCHAs on smartphones. In 2013 International Conference on Security and Cryptography (SECRYPT), 2013. Search in Google Scholar

[87] Google. Choosing the type of reCAPTCHA. https://developers.google.com/recaptcha/docs/versions, 2019. Search in Google Scholar

[88] Google Developers. reCAPTCHA v3. https://developers.google.com/recaptcha/docs/v3, 2018. Search in Google Scholar

[89] Lara O’Reilly. Google’s new CAPTCHA security login raises ’legitimate privacy concerns’. https://www.businessinsider.com/google-no-captcha-adtruth-privacy-research-2015-2?r=US&IR=T, 2015. Search in Google Scholar

[90] Alexander De Luca, Alina Hang, Frederik Brudy, Christian Lindner, and Heinrich Hussmann. Touch Me Once and I Know It’s You!: Implicit Authentication Based on Touch Screen Patterns. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI ’12, 2012. Search in Google Scholar

[91] Meriem Guerar, Mauro Migliardi, Alessio Merlo, Mohamed Benmohammed, Francesco Palmieri, and Aniello Castiglione. Using screen brightness to improve security in mobile social network access. IEEE Transactions on Dependable and Secure Computing, 15(4):621–632, 2016. Search in Google Scholar

[92] Attaullah Buriro, Sandeep Gupta, and Bruno Crispo. Evaluation of motion-based touch-typing biometrics for online banking. In 2017 International Conference of the Biometrics Special Interest Group (BIOSIG), pages 1–5. IEEE, 2017. Search in Google Scholar

[93] Theja Tulabandhula, Shailesh Vaya, and Aritra Dhar. Privacy-preserving Targeted Advertising. CoRR, abs/1710.0, 2017. Search in Google Scholar

[94] Mikhail Bilenko and Matthew Richardson. Predictive Client-side Profiles for Personalized Advertising. In Proceedings of the 17th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD ’11, pages 413–421, New York, NY, USA, 2011. ACM. Search in Google Scholar

[95] Saikat Guha, Bin Cheng, and Paul Francis. Privad: Practical Privacy in Online Advertising. In Proceedings of the 8th USENIX Conference on Networked Systems Design and Implementation, NSDI’11, 2011. Search in Google Scholar

[96] Drew Davidson, Matt Fredrikson, and Benjamin Livshits. Morepriv: Mobile os support for application personalization and privacy. In Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC ’14, 2014. Search in Google Scholar

[97] George Danezis, Markulf Kohlweiss, Benjamin Livshits, and Alfredo Rial. Private Client-side Profiling with Random Forests and Hidden Markov Models. In Proceedings of the 12th International Conference on Privacy Enhancing Technologies, PETS’12, 2012. Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo