Fingerprinting Mobile Browsers

Nowadays, billions of people access the Internet on mobile phones and a significant portion of the traffic comes from browsers. Mobile browsers could be used as a gateway to access the underlying resources of mobile devices for fingerprinting purposes. Browsers include APIs to access the underlying hardware and software resources, such as sensors, audio and media devices, battery, and so on. The growing number of APIs have created new opportunities for browser fingerprinting mechanisms. However, the widely used browser fingerprint systems are designed for the desktop environment and the identifying information gathered using these systems do not include the unique features of mobile phones such as device sensors. The goal of this thesis is to explore additional fingerprintable metrics in the mobile context and analyze their contribution in fingerprinting browsers. In this thesis, we investigated time evolution of browser's features fingerprints and fingerprinting in the wild in the context of mobile devices. In time evolution of feature's fingerprinting, we have examined the change in permission requirements of browsers over time and evolution of browser's features fingerprints for both Google Chrome and Firefox. In our experiment, we have seen that permission requirements have increased over time, e.g. Firefox 4.0 requires only four permissions, while Firefox 55.0 requires 24 permissions. In evolution of browser's features, we have seen fingerprints that are related to media, audio, WebGL, and canvas elements of the browser show a frequent change across versions. In addition, we have seen, for both Chrome and Firefox, the user agent string is unique for each version and media devices for Chrome is unique for each version as well in our dataset. In fingerprinting in the wild, we have collected fingerprints from 134 browsing sessions of which 96 were unique. From the gathered dataset, we have calculated the identifying information, entropy, contribution of each browser's feature in our test. The result shows that IP address, user agent, and media devices are the highest entropy contributors. In addition, we have observed that the maximum possible entropy gain in our dataset, 6.58 bits, can be obtained by joining only media devices and user agent strings. To sum up, in our experiment, we have acquired additional fingerprintable metrics form modern APIs, such as sensors, audio and media devices, and battery. In time evolution of browser feature's fingerprint experiments, we have seen that modern API feature's fingerprints show frequent change across versions. Similarly, in fingerprinting in the wild experiments, these APIs are among the highest entropy contributors