Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mobile Websites Can Tap Into Your Phone's Sensors Without Asking (wired.com)

Posted by msmash on from the stranger-things dept.

When apps wants to access data from your smartphone's motion or light sensors, they often make that capability clear. That keeps a fitness app, say, from counting your steps without your knowledge. But a team of researchers has discovered that the rules don't apply to websites loaded in mobile browsers, which can often access an array of device sensors without any notifications or permissions whatsoever. From a report: That mobile browsers offer developers access to sensors isn't necessarily problematic on its own. It's what helps those services automatically adjust their layout, for example, when you switch your phone's orientation. And the World Wide Web Consortium standards body has codified how web applications can access sensor data. But the researchers -- Anupam Das of North Carolina State University, Gunes Acar of Princeton University, Nikita Borisov of the University of Illinois at Urbana-Champaign, and Amogh Pradeep of Northeastern University -- found that the standards allow for unfettered access to certain sensors. And sites are using it.

The researchers found that of the top 100,000 sites -- as ranked by Amazon-owned analytics company Alexa -- 3,695 incorporate scripts that tap into one or more of these accessible mobile sensors. That includes plenty of big names, including Wayfair, Priceline.com, and Kayak.

48 comments

  1. KAVANAUGH aka Pussy Galore! by Anonymous Coward · · Score: -1

    What. A. Wuss.

    1. Re:KAVANAUGH aka Pussy Galore! by Anonymous Coward · · Score: -1

      When Kavanaugh is confirmed for the SCOTUS, hopefully you will hang yourself like the limp-wristed fudgepacker you are.

    2. Re: KAVANAUGH aka Pussy Galore! by Anonymous Coward · · Score: 0

      So you condone raping children? Nice.

    3. Re: KAVANAUGH aka Pussy Galore! by Anonymous Coward · · Score: 0

      So you condone raping children? Nice.

      -

      Obviously you are stupid.

      I don't believe the accusations against Kavanaugh.

      I believe Blasey Ford's efforts are 100% politically motivated.

      You should watch your mouth. If you said "you condone raping children" to me in a bar, I'd teach you a hard lesson.

    4. Re: KAVANAUGH aka Pussy Galore! by Anonymous Coward · · Score: 0

      Then you're an idiot.

      Kavanaugh is a rapist. He should be in prison, not on the SCOTUS.

    5. Re: KAVANAUGH aka Pussy Galore! by Anonymous Coward · · Score: 0

      Then you're an idiot.

      -

      You're just a punkass bitch who sucks the cock of "news" propaganda like it was your mommy's tit.

      Do the world a favor and slit your wrists.

    6. Re:KAVANAUGH aka Pussy Galore! by Anonymous Coward · · Score: 0

      What. A. Wuss.

      Wait, didn't he just claim he was a virgin until after college?

    7. Re:KAVANAUGH aka Pussy Galore! by Anonymous Coward · · Score: 0

      no no, you misunderstand.. he worked hard at pretending he was a virgin. Did you know? it was legal for seniors to drink at that time... never mind the fact he wasn't a senior and it wasn't legal for him to drink. I don't want a Judge who intentionally gives misleading arguments.

  2. Why? by Anonymous Coward · · Score: 0

    I am still confused to why my web browser needs access to my sensors in the first place.

    Or pretty anything that isn't the temp and appdata folder. It can have access to that.

    1. Re:Why? by Locke2005 · · Score: 1

      To play games in the browser? Yeah, that's a stretch. Phone browsers aren't good for much, anything complicated you'd be better off with a dedicated app.

      --
      I've abandoned my search for truth; now I'm just looking for some useful delusions.
    2. Re:Why? by squiggleslash · · Score: 3, Informative

      Some of it is implied access. For example, if a phone rotates from portrait to landscape mode, it'll typically re-layout the page to fit the new aspect ratio. It then becomes trivial for Javascript to determine that the phone has been rotated.

      As far as stuff like the proximity and lighting sensors, there are direct APIs and I couldn't tell you why phones give developers access to those by default.

      --
      You are not alone. This is not normal. None of this is normal.
    3. Re:Why? by KiloByte · · Score: 1

      As far as stuff like the proximity and lighting sensors, there are direct APIs and I couldn't tell you why phones give developers access to those by default.

      Sounds like they haven't learned the lesson of battery API yet...

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    4. Re:Why? by Anonymous Coward · · Score: 0

      if a phone rotates from portrait to landscape mode

      use window.resize event. you don't need sensors for that. Additionally, if the user locks the screen rotation on phone but the site detects orientation and changes layout, that is bad UX.

    5. Re:Why? by Anonymous Coward · · Score: 0

      Yeah, it sounds like you have no idea what anyone's talking about. Maybe you should take a break from posting and let the big boys talk.

    6. Re: Why? by Anonymous Coward · · Score: 0

      They don't. Check the compatibility section. None of the browsers support it except for Firefox, and that's only after you set a flag in the browser config. It's off by default, and it's specifically because browser vendors know it's a massive privacy concern and open to abuse.

      Give credit where credit is due.

    7. Re:Why? by Anonymous Coward · · Score: 0

      The biggest security failure with phones is the LACK of Individuals capable of creating runarounds and watchers for the users' benefit. There are loads of open-source and user-friendly/protective applications to help protect you online from dastardly operators (microsoft, for example) but niggardly few developers creating user security applications for phones (and even then, being able to easily, independently upload them to the phones). smartphone users are basically stuck with what the market provides; anyway most of them are too ignorant to even SUSPECT the things their devices might be doing, for others, to them. Not so the physical computer user who can have access to install a vast array of things that they can learn to use (or are pre-set-up by friendlies for them). Computer users can have more control over their devices than smartphone users. My flip-phone is adequate for my needs (voice, text) and anything further can wait until I'm in front of my bigscreen with a computer that *I* have control over.

    8. Re:Why? by Anonymous Coward · · Score: 0

      Sounds like they haven't learned the lesson of battery API yet...

      It's annoying that we are ignored bystanders in a war against marketing companies dictating standards that the browsers quietly push out --in concert, usually.
      Useful features going removed because of dumb telemetry is just as bad a result of this hubris, and we're the ones looking stupid because there is no middle-ground where we keep the good bits modularly. In the name of perfunctory injections of patches for zero days, we sacrifice stability, features, speed, compatibility with established extensions and workflows... and privacy

  3. bite my elinks by KiloByte · · Score: 1

    Hah! Now I feel smug that the only working browser on my phone has no vulnerabilities of this kind at all.

    Backporting a modern bloated browser for a system this old would be a massive task, and Nokia ended support for N900 ages ago. Never had the time to manage to get working one of community-made distributions made in the last few years, so it's elinks on the phone for me. I dare not to even contemplate Firefox or Chrome running on 256MB RAM. They're the reason why riscv has a 128-bit version...

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    1. Re:bite my elinks by Anonymous Coward · · Score: 0

      Ah yes, the Slashdot Luddite.

      Such a common feature here. It's depressing that a site about new technology has so many idiots who insist on living in the past.

      Your ancient phone isn't relevant to this discussion. Go away.

      And if you can't tell the difference between the good guys and the Nazis, you're a fool.

    2. Re:bite my elinks by Narcocide · · Score: 1

      Just shut up. You're jealous of that N900 too and it shows.

    3. Re: bite my elinks by Anonymous Coward · · Score: 0

      Oh fuck off. And #fuckZuck.

  4. The smell of *BSD's rotting corpse by Anonymous Coward · · Score: -1

    I went out to *BSD's grave on Decoration Day. The old forgotten cemetery is to be found adjacent to the dark woods beyond the edge of town. There within olfactory distance of the municipal treatment plant you will find *BSD's final resting place.

    *BSD's tombstone was shrouded by thick mosses and knots of noxious ivy. A mournful funerary crow sounded the requiem, as I gently pulled aside the tangled twists of thorns, and cleaned the decaying marker the best I could. A suffocating melancholia filled my heart, while I pondered that this indeed was *BSD's figurative charnel house of which so many have plaintively spoken.

    Nothing is so pitiful as an untended grave, a loved one now forgotten. The short sad life of this doomed and fated OS makes us realize that there but for the grace of God go all of us.

    I planted some wilting marigolds, found discarded in the waste heap behind the caretaker's shack, wishing that by some miracle these fleurs de mort might take root and bring a modicum of cheer to *BSD's God forsaken plot. My fervent hope is that the torpid colored boy, who so carelessly mows the grounds, doesn't slice them down, inadvertently mirroring *BSD's own doomed encounter with death's irresistible scythe.

    Funny how things work out. Linux, that brilliant novam stellam, now runs the Internet and the world's fastest computers, while *BSD lies moldering within its forgotten crypt. Let the barren silence of *BSD's tomb be a mute reminder that hubris and braggadocio were no defense on that woeful day when the Angel of Death's bleak umbra was cast upon *BSD.

    1. Re:The smell of *BSD's rotting corpse by mschwanke97402 · · Score: 1

      Quoting Wired Magazine: "Mac OS X, in turn, gave rise to the mobile iOS. Both Apple operating systems still include code files tagged with the NeXt name – and both are directly descended from a version of UNIX called the Berkeley System Distribution, or BSD, created at the University of California, Berkeley in 1977" BSD isn't quite dead yet. It lives on in 2 Billion iOS devices and the odd iMac or MacBook.

    2. Re:The smell of *BSD's rotting corpse by Anonymous Coward · · Score: 0

      BSD isn't dead. It just smells that way.

    3. Re: The smell of *BSD's rotting corpse by Anonymous Coward · · Score: 0

      That was me. I farted.

    4. Re: The smell of *BSD's rotting corpse by Anonymous Coward · · Score: 0

      Gee whiz, fella. Whew! Something must havef died up there! That gas was rank. You better see a doctor PDQ!

  5. I am guessing by bobstreo · · Score: 1

    the lynks browser for android doesn't have this issue.

    Chrome, webview and Firefox (and vendor browsers) are problematic unless you have large amounts of extensions installed, with blocklists updated hourly...

    1. Re:I am guessing by Anonymous Coward · · Score: 0

      On firefox, it seems that some of this can be mitigated by about:config settings. I seem to remember stumbling across some of that stuff while exploring all the settings. Been awhile, though, and my memory isn't as good as I'd like to think it used to be.

  6. Permissions by Dysproxia · · Score: 3, Informative

    The article starts by claiming that apps require some permission from the user before they can use these sensors in question. Motion, orientation, proximity, light. That's not true on Android. Good night!

    1. Re:Permissions by Anonymous Coward · · Score: 1

      Neither it is true on iOS. The article seems like a troll. Very vague on specific details and platforms.

      They make this sensationalist claim but can't provide a website that I can open on my web browser and see for myself?

    2. Re:Permissions by Anonymous Coward · · Score: 1

      here you go: https://sensor-js.xyz/demo.html

  7. KAVANAUGH PERJURED HIMSELF PROVABLY! by Anonymous Coward · · Score: 0

    He may go to prison in the end, we'll see. He perjured himself!

  8. Wow ... time to kill javascript ... by Anonymous Coward · · Score: 0

    The researchers found that of the top 100,000 sites -- as ranked by Amazon-owned analytics company Alexa -- 3,695 incorporate scripts that tap into one or more of these accessible mobile sensors

    The internet, and especially on a mobile device, has become a shithole of ads, trackers, analytics, and bad actors. Much of that is facilitated by the shit-storm of javascript from 20+ different 3rd party stuff.

    There is no defensible reason for a fucking web page to have any access to any of the sensors on a phone. While the browser might need to know that the orientation has changed, the website doesn't.

    This is why I don't use mobile devices for this crap, and why I don't use social media at all .. because the sites themselves are ran by assholes, and the rest of the tracking pretty much guarantees you are going to be far more invasive tracked than you could possibly recognize.

    I find it hilarious that this gem is coming from Amazon, who are also one of the asshole players in the ad and analytics market.

    Sorry, I'll stick with a browser on my desktop, with every possible blocker to shut out the ads and trackers.

    I don't care about your business model, and I care even less when you embed 3rd party shit to spy on me and act like I've given them all permission by using your site. Sorry, but no, that never actually happened.

    The overwhelming majority of sites are ran by assholes, or at least by people who have allowed the assholes to catch a free ride. I'm not allowing that shit.

  9. I use XPrivacy by Anonymous Coward · · Score: 0

    And my browser doesn't have access to unnecessary sensor info.

  10. So, when you give your mobile browser... by QuietLagoon · · Score: 1

    ... permission to access various parts of your phone, you also giving that same permission to everything that runs in the browser?

  11. Motion Sensor Gait Analysis by Anonymous Coward · · Score: 0

    I wonder if enough information can be teased out of the motion sensor to determine if a user is walking, then use that to establish a bio-metric identifier with any confidence from gait analysis. At a minimum an informed statistical guess about the owner's height might be possible.

  12. Tell it to the warden, Trump traitor. by Anonymous Coward · · Score: 0

    Tell it to the warden, Trump traitor.

    1. Re:Tell it to the warden, Trump traitor. by Anonymous Coward · · Score: 0

      Dead liberal pussies like you are good liberal pussies. Let the civil war begin, let the blood flow. I want to see you dead in the street gut shot by another liberal pussy just like yourself

    2. Re:Tell it to the warden, Trump traitor. by Anonymous Coward · · Score: 0

      You can't manage even educating yourself about the civil war, now you want to re-enact it, inbred southern faggots? Lol. You lost bitches, get over it snowflake traitor Trumptards. Your hero will be hanged for treason. Suck it faggots. There's nothing you deplorable inbred faggot nazis can do about it, you don't matter and we've already replaced you punk ass bitches. You are too dumb to survive, bury yourselves in a coal mine.

    3. Re:Tell it to the warden, Trump traitor. by Anonymous Coward · · Score: 0

      If a civil war were to break out, it would be the city folk (heavy left) vs rural America. It would not be a North vs South thing. Cities would be contained, and flanked and surrounded. They eventually would be starved as they rely on food and resources that rural America produces. Those who know how to live off the land and survive will do far better than those who rely on larping to feel good about themselves. Rural America also has a sense of community and will typically help their neighbors when in trouble. Good luck getting all the gangs to work together in the cities to help the leftist cause. Just my 2 cents.

  13. The browser is an app. by Anonymous Coward · · Score: 0

    The browser is an app. And I can close my tabs (although service workers can throw a wrench into that). I much prefer the browser model to the app model. I install almost no apps on my phone and use the browser.

    For things I care about (I don't care about my GPS coordinates, btw) I don't give the browser permission -- e.g. record video/audio. Problem solved.

  14. Android? by Anonymous Coward · · Score: 0

    Article is unclear. Must be Android thing.

  15. They have a test website by Pow · · Score: 2

    https://sensor-js.xyz/demo.htm...

    Indeed it works on my iPhone. Javascript can read Orientation, Accelerometer (including gravity) and Gyroscope sensors in real time.

    1. Re:They have a test website by Anonymous Coward · · Score: 0

      does anyone with a phone actually write these?

    2. Re:They have a test website by blackest_k · · Score: 1

      This works on my macbook pro too

      Orientation (x and y only)
      X-axis (Î): 0.4565304277Â
      Y-axis (Î): 0.0000000000Â (changes)
      Z-axis (α): 0 (no data)
      Accelerometer
      X-axis: 0 m/s2
      Y-axis: 0 m/s2
      Z-axis: 0 m/s2
      Data Interval: 16.00 ms
      Accelerometer including gravity (all 3 active)
      X-axis: 0.0000000000 m/s2
      Y-axis: -0.0781406398 m/s2
      Z-axis: 9.8066500000 m/s2
      Gyroscope (no data)
      X-axis: 0Â/s
      Y-axis: 0Â/s
      Z-axis: 0Â/s

      I guess if i ever want to level my desk :)
      Seems to change values on screen angle too.

      --
      Blarney Quality Restaurant, Plants
    3. Re:They have a test website by Anonymous Coward · · Score: 0

      site's not working. :(

  16. The DOM model was a mistake by Anonymous Coward · · Score: 0

    The browser can access whatever it wants!

  17. Can disable in firefox by Anonymous Coward · · Score: 0

    about:config -> search "sensors" -> disable them all