Mobile Websites Can Tap Into Your Phone's Sensors Without Asking (wired.com) 48
When apps wants to access data from your smartphone's motion or light sensors, they often make that capability clear. That keeps a fitness app, say, from counting your steps without your knowledge. But a team of researchers has discovered that the rules don't apply to websites loaded in mobile browsers, which can often access an array of device sensors without any notifications or permissions whatsoever. From a report: That mobile browsers offer developers access to sensors isn't necessarily problematic on its own. It's what helps those services automatically adjust their layout, for example, when you switch your phone's orientation. And the World Wide Web Consortium standards body has codified how web applications can access sensor data. But the researchers -- Anupam Das of North Carolina State University, Gunes Acar of Princeton University, Nikita Borisov of the University of Illinois at Urbana-Champaign, and Amogh Pradeep of Northeastern University -- found that the standards allow for unfettered access to certain sensors. And sites are using it.
The researchers found that of the top 100,000 sites -- as ranked by Amazon-owned analytics company Alexa -- 3,695 incorporate scripts that tap into one or more of these accessible mobile sensors. That includes plenty of big names, including Wayfair, Priceline.com, and Kayak.
The researchers found that of the top 100,000 sites -- as ranked by Amazon-owned analytics company Alexa -- 3,695 incorporate scripts that tap into one or more of these accessible mobile sensors. That includes plenty of big names, including Wayfair, Priceline.com, and Kayak.
Re: (Score:2)
Comment removed (Score:4, Informative)
Re: (Score:2)
As far as stuff like the proximity and lighting sensors, there are direct APIs and I couldn't tell you why phones give developers access to those by default.
Sounds like they haven't learned the lesson of battery API yet...
bite my elinks (Score:2)
Hah! Now I feel smug that the only working browser on my phone has no vulnerabilities of this kind at all.
Backporting a modern bloated browser for a system this old would be a massive task, and Nokia ended support for N900 ages ago. Never had the time to manage to get working one of community-made distributions made in the last few years, so it's elinks on the phone for me. I dare not to even contemplate Firefox or Chrome running on 256MB RAM. They're the reason why riscv has a 128-bit version...
Re: (Score:1)
Just shut up. You're jealous of that N900 too and it shows.
Re: (Score:2)
I am guessing (Score:2)
the lynks browser for android doesn't have this issue.
Chrome, webview and Firefox (and vendor browsers) are problematic unless you have large amounts of extensions installed, with blocklists updated hourly...
Permissions (Score:3, Informative)
Re: (Score:1)
Neither it is true on iOS. The article seems like a troll. Very vague on specific details and platforms.
They make this sensationalist claim but can't provide a website that I can open on my web browser and see for myself?
Re: (Score:1)
here you go: https://sensor-js.xyz/demo.html
So, when you give your mobile browser... (Score:2)
They have a test website (Score:2)
https://sensor-js.xyz/demo.htm... [sensor-js.xyz]
Indeed it works on my iPhone. Javascript can read Orientation, Accelerometer (including gravity) and Gyroscope sensors in real time.
Re: (Score:2)
This works on my macbook pro too
Orientation (x and y only)
X-axis (Î): 0.4565304277Â
Y-axis (Î): 0.0000000000Â (changes)
Z-axis (α): 0 (no data)
Accelerometer
X-axis: 0 m/s2
Y-axis: 0 m/s2
Z-axis: 0 m/s2
Data Interval: 16.00 ms
Accelerometer including gravity (all 3 active)
X-axis: 0.0000000000 m/s2
Y-axis: -0.0781406398 m/s2
Z-axis: 9.8066500000 m/s2
Gyroscope (no data)
X-axis: 0Â/s
Y-axis: 0Â/s
Z-axis: 0Â/s
I guess if i ever want to level my desk :)
Seems to change values