When an app wants to access data from your smartphone’s motion or light sensors, iOS and Android require them to get your permission first. That keeps a fitness app, say, from counting your steps without your knowledge. But a team of researchers has discovered that those rules don’t apply to websites loaded in mobile browsers, which can often often access an array of device sensors without any notifications or permissions whatsoever.
That mobile browsers offer developers access to sensors isn’t necessarily problematic on its own. It’s what helps those services automatically adjust their layout, for example, when you switch your phone’s orientation. And the World Wide Web Consortium standards body has codified how web applications can access sensor data. But the researchers—Anupam Das of North Carolina State University, Gunes Acar of Princeton University, Nikita Borisov of the University of Illinois at Urbana-Champaign, and Amogh Pradeep of Northeastern University—found that the standards allow for unfettered access to certain sensors. And sites are using it.
(Via Security Latest)
Before we all panic, please note that the study only found 3.7% of the top 100,000 sites make use of this. And bear the following in mind:
That unapproved access to motion, orientation, proximity, or light sensor data alone probably wouldn’t compromise a user’s identity or device. And a web page can only access sensors as long as a user is actively browsing the page, not in the background.
Regardless, there is clearly an attack surface here that will be exploited. I can imagine something targeted using watering hole attacks being particularly successful.
“There’s a difference between the access from the web scripts compared to say mobile apps,” Acar says. “And a lot of this is legitimate. But the fact that access can be granted without prompting the user is surprising. It’s currently up to the vendors, and vendors tend to choose the side of more usability.”