Mobile Websites Can Tap Into Your Phone's Sensors Without Asking

When apps wants to access data from your smartphone's motion or light sensors, they often make that capability clear. That keeps a fitness app, say, from counting your steps without your knowledge. But a team of researchers has discovered that the rules don't apply to websites loaded in mobile browsers, which can often access an array of device sensors without any notifications or permissions whatsoever. From a report: That mobile browsers offer developers access to sensors isn't necessarily problematic on its own. It's what helps those services automatically adjust their layout, for example, when you switch your phone's orientation. And the World Wide Web Consortium standards body has codified how web applications can access sensor data. But the researchers -- Anupam Das of North Carolina State University, Gunes Acar of Princeton University, Nikita Borisov of the University of Illinois at Urbana-Champaign, and Amogh Pradeep of Northeastern University -- found that the standards allow for unfettered access to certain sensors. And sites are using it.

The researchers found that of the top 100,000 sites -- as ranked by Amazon-owned analytics company Alexa -- 3,695 incorporate scripts that tap into one or more of these accessible mobile sensors. That includes plenty of big names, including Wayfair, Priceline.com, and Kayak.

Re: KAVANAUGH aka Pussy Galore!

So you condone raping children? Nice.

Why?

I am still confused to why my web browser needs access to my sensors in the first place.

Or pretty anything that isn't the temp and appdata folder. It can have access to that.

Re:Why?

[Locke2005]

To play games in the browser? Yeah, that's a stretch. Phone browsers aren't good for much, anything complicated you'd be better off with a dedicated app.

Re:Why?

[squiggleslash]

Some of it is implied access. For example, if a phone rotates from portrait to landscape mode, it'll typically re-layout the page to fit the new aspect ratio. It then becomes trivial for Javascript to determine that the phone has been rotated.

As far as stuff like the proximity and lighting sensors, there are direct APIs and I couldn't tell you why phones give developers access to those by default.

Re:Why?

[KiloByte]

As far as stuff like the proximity and lighting sensors, there are direct APIs and I couldn't tell you why phones give developers access to those by default.

Sounds like they haven't learned the lesson of battery API yet...

Re:Why?

if a phone rotates from portrait to landscape mode

use window.resize event. you don't need sensors for that. Additionally, if the user locks the screen rotation on phone but the site detects orientation and changes layout, that is bad UX.

Re:Why?

Yeah, it sounds like you have no idea what anyone's talking about. Maybe you should take a break from posting and let the big boys talk.

Re: Why?

They don't. Check the compatibility section. None of the browsers support it except for Firefox, and that's only after you set a flag in the browser config. It's off by default, and it's specifically because browser vendors know it's a massive privacy concern and open to abuse.

Give credit where credit is due.

Re:Why?

The biggest security failure with phones is the LACK of Individuals capable of creating runarounds and watchers for the users' benefit. There are loads of open-source and user-friendly/protective applications to help protect you online from dastardly operators (microsoft, for example) but niggardly few developers creating user security applications for phones (and even then, being able to easily, independently upload them to the phones). smartphone users are basically stuck with what the market provides; anyway most of them are too ignorant to even SUSPECT the things their devices might be doing, for others, to them. Not so the physical computer user who can have access to install a vast array of things that they can learn to use (or are pre-set-up by friendlies for them). Computer users can have more control over their devices than smartphone users. My flip-phone is adequate for my needs (voice, text) and anything further can wait until I'm in front of my bigscreen with a computer that *I* have control over.

Re:Why?

Sounds like they haven't learned the lesson of battery API yet...

It's annoying that we are ignored bystanders in a war against marketing companies dictating standards that the browsers quietly push out --in concert, usually.
Useful features going removed because of dumb telemetry is just as bad a result of this hubris, and we're the ones looking stupid because there is no middle-ground where we keep the good bits modularly. In the name of perfunctory injections of patches for zero days, we sacrifice stability, features, speed, compatibility with established extensions and workflows... and privacy

bite my elinks

[KiloByte]

Hah! Now I feel smug that the only working browser on my phone has no vulnerabilities of this kind at all.

Backporting a modern bloated browser for a system this old would be a massive task, and Nokia ended support for N900 ages ago. Never had the time to manage to get working one of community-made distributions made in the last few years, so it's elinks on the phone for me. I dare not to even contemplate Firefox or Chrome running on 256MB RAM. They're the reason why riscv has a 128-bit version...

Re:bite my elinks

Ah yes, the Slashdot Luddite.

Such a common feature here. It's depressing that a site about new technology has so many idiots who insist on living in the past.

Your ancient phone isn't relevant to this discussion. Go away.

And if you can't tell the difference between the good guys and the Nazis, you're a fool.

Re:bite my elinks

[Narcocide]

Just shut up. You're jealous of that N900 too and it shows.

Re: bite my elinks

Oh fuck off. And #fuckZuck.

I am guessing

[bobstreo]

the lynks browser for android doesn't have this issue.

Chrome, webview and Firefox (and vendor browsers) are problematic unless you have large amounts of extensions installed, with blocklists updated hourly...

Re:I am guessing

On firefox, it seems that some of this can be mitigated by about:config settings. I seem to remember stumbling across some of that stuff while exploring all the settings. Been awhile, though, and my memory isn't as good as I'd like to think it used to be.

Re: KAVANAUGH aka Pussy Galore!

So you condone raping children? Nice.

-

Obviously you are stupid.

I don't believe the accusations against Kavanaugh.

I believe Blasey Ford's efforts are 100% politically motivated.

You should watch your mouth. If you said "you condone raping children" to me in a bar, I'd teach you a hard lesson.

Re: KAVANAUGH aka Pussy Galore!

Then you're an idiot.

Kavanaugh is a rapist. He should be in prison, not on the SCOTUS.

Permissions

[Dysproxia]

The article starts by claiming that apps require some permission from the user before they can use these sensors in question. Motion, orientation, proximity, light. That's not true on Android. Good night!

Re:Permissions

Neither it is true on iOS. The article seems like a troll. Very vague on specific details and platforms.

They make this sensationalist claim but can't provide a website that I can open on my web browser and see for myself?

Re:Permissions

here you go: https://sensor-js.xyz/demo.html

KAVANAUGH PERJURED HIMSELF PROVABLY!

He may go to prison in the end, we'll see. He perjured himself!

Wow ... time to kill javascript ...

The researchers found that of the top 100,000 sites -- as ranked by Amazon-owned analytics company Alexa -- 3,695 incorporate scripts that tap into one or more of these accessible mobile sensors

The internet, and especially on a mobile device, has become a shithole of ads, trackers, analytics, and bad actors. Much of that is facilitated by the shit-storm of javascript from 20+ different 3rd party stuff.

There is no defensible reason for a fucking web page to have any access to any of the sensors on a phone. While the browser might need to know that the orientation has changed, the website doesn't.

This is why I don't use mobile devices for this crap, and why I don't use social media at all .. because the sites themselves are ran by assholes, and the rest of the tracking pretty much guarantees you are going to be far more invasive tracked than you could possibly recognize.

I find it hilarious that this gem is coming from Amazon, who are also one of the asshole players in the ad and analytics market.

Sorry, I'll stick with a browser on my desktop, with every possible blocker to shut out the ads and trackers.

I don't care about your business model, and I care even less when you embed 3rd party shit to spy on me and act like I've given them all permission by using your site. Sorry, but no, that never actually happened.

The overwhelming majority of sites are ran by assholes, or at least by people who have allowed the assholes to catch a free ride. I'm not allowing that shit.

I use XPrivacy

And my browser doesn't have access to unnecessary sensor info.

Re: KAVANAUGH aka Pussy Galore!

Then you're an idiot.

-

You're just a punkass bitch who sucks the cock of "news" propaganda like it was your mommy's tit.

Do the world a favor and slit your wrists.

So, when you give your mobile browser...

[QuietLagoon]

... permission to access various parts of your phone, you also giving that same permission to everything that runs in the browser?

Motion Sensor Gait Analysis

I wonder if enough information can be teased out of the motion sensor to determine if a user is walking, then use that to establish a bio-metric identifier with any confidence from gait analysis. At a minimum an informed statistical guess about the owner's height might be possible.

Tell it to the warden, Trump traitor.

Tell it to the warden, Trump traitor.

Re:Tell it to the warden, Trump traitor.

Dead liberal pussies like you are good liberal pussies. Let the civil war begin, let the blood flow. I want to see you dead in the street gut shot by another liberal pussy just like yourself

Re:Tell it to the warden, Trump traitor.

You can't manage even educating yourself about the civil war, now you want to re-enact it, inbred southern faggots? Lol. You lost bitches, get over it snowflake traitor Trumptards. Your hero will be hanged for treason. Suck it faggots. There's nothing you deplorable inbred faggot nazis can do about it, you don't matter and we've already replaced you punk ass bitches. You are too dumb to survive, bury yourselves in a coal mine.

Re:Tell it to the warden, Trump traitor.

If a civil war were to break out, it would be the city folk (heavy left) vs rural America. It would not be a North vs South thing. Cities would be contained, and flanked and surrounded. They eventually would be starved as they rely on food and resources that rural America produces. Those who know how to live off the land and survive will do far better than those who rely on larping to feel good about themselves. Rural America also has a sense of community and will typically help their neighbors when in trouble. Good luck getting all the gangs to work together in the cities to help the leftist cause. Just my 2 cents.

Re:The smell of *BSD's rotting corpse

[mschwanke97402]

Quoting Wired Magazine: "Mac OS X, in turn, gave rise to the mobile iOS. Both Apple operating systems still include code files tagged with the NeXt name – and both are directly descended from a version of UNIX called the Berkeley System Distribution, or BSD, created at the University of California, Berkeley in 1977" BSD isn't quite dead yet. It lives on in 2 Billion iOS devices and the odd iMac or MacBook.

Re:The smell of *BSD's rotting corpse

BSD isn't dead. It just smells that way.

Re: The smell of *BSD's rotting corpse

That was me. I farted.

Re: The smell of *BSD's rotting corpse

Gee whiz, fella. Whew! Something must havef died up there! That gas was rank. You better see a doctor PDQ!

The browser is an app.

The browser is an app. And I can close my tabs (although service workers can throw a wrench into that). I much prefer the browser model to the app model. I install almost no apps on my phone and use the browser.

For things I care about (I don't care about my GPS coordinates, btw) I don't give the browser permission -- e.g. record video/audio. Problem solved.

Re:KAVANAUGH aka Pussy Galore!

What. A. Wuss.

Wait, didn't he just claim he was a virgin until after college?

Android?

Article is unclear. Must be Android thing.

They have a test website

[Pow]

https://sensor-js.xyz/demo.htm...

Indeed it works on my iPhone. Javascript can read Orientation, Accelerometer (including gravity) and Gyroscope sensors in real time.

Re:They have a test website

does anyone with a phone actually write these?

Re:They have a test website

[blackest_k]

This works on my macbook pro too

Orientation (x and y only)
X-axis (Î): 0.4565304277Â
Y-axis (Î): 0.0000000000Â (changes)
Z-axis (α): 0 (no data)
Accelerometer
X-axis: 0 m/s2
Y-axis: 0 m/s2
Z-axis: 0 m/s2
Data Interval: 16.00 ms
Accelerometer including gravity (all 3 active)
X-axis: 0.0000000000 m/s2
Y-axis: -0.0781406398 m/s2
Z-axis: 9.8066500000 m/s2
Gyroscope (no data)
X-axis: 0Â/s
Y-axis: 0Â/s
Z-axis: 0Â/s

I guess if i ever want to level my desk :)
Seems to change values on screen angle too.

Re:They have a test website

site's not working. :(

Re:KAVANAUGH aka Pussy Galore!

no no, you misunderstand.. he worked hard at pretending he was a virgin. Did you know? it was legal for seniors to drink at that time... never mind the fact he wasn't a senior and it wasn't legal for him to drink. I don't want a Judge who intentionally gives misleading arguments.

The DOM model was a mistake

The browser can access whatever it wants!

Can disable in firefox

about:config -> search "sensors" -> disable them all