Mobile devices often distribute measurements from physical sensors to multiple applications using software multiplexing. On Android devices, the highest requested sampling frequency is returned to all applications, even if others request measurements at lower frequencies. In this paper, we comprehensively demonstrate that this design choice exposes practically exploitable side-channels using frequency-key shifting. By carefully modulating sensor sampling frequencies in software, we show how unprivileged malicious applications can construct reliable spectral covert channels that bypass existing security mechanisms. Additionally, we present a novel variant that allows an unprivileged malicious application to profile other active, sensor-enabled applications at a coarse-grained level. Both methods do not impose any special assumptions beyond accessing standard mobile services available to developers. As such, our work reports side-channel vulnerabilities that exploit subtle yet insecure design choices in Android sensor stacks.

翻译：移动设备常通过软件复用技术将物理传感器的测量数据分发给多个应用。在Android设备上，即使其他应用请求较低的采样频率，系统仍会向所有应用返回最高请求的采样频率。本文通过频移键控技术全面论证了这一设计选择暴露了可实际利用的侧信道。通过谨慎地调制软件中的传感器采样频率，我们展示了无权限恶意应用如何构建可绕过现有安全机制的可靠频谱隐蔽信道。此外，我们提出了一种新型变体，使无权限恶意应用能够以粗粒度方式对其他活跃的传感器启用应用进行画像。两种方法均无需对开发者可用的标准移动服务访问权限施加特殊假设。因此，我们的工作揭示了利用Android传感器栈中微妙且不安全的隐蔽设计选择所导致的侧信道漏洞。