The W3 specs get updated and expand faster than most people can keep up with them. In 2015, many browsers began adding support for mobile sensors which do not prompt users for permission to access them. The new Javascript sensor API and browser features should start raising privacy concerns.
A few of these are listed below:
Accelerometer and gyroscope data
Modern browsers now support direct access to the accelerometer and gyroscope. This is done as follows:
window.addEventListener('devicemotion', function(event) { var x, y, z, absolute, alpha, beta, gamma; x = event.accelerationIncludingGravity.x; y = event.accelerationIncludingGravity.y; z = event.accelerationIncludingGravity.z; absolute = event.absolute; alpha = event.alpha; beta = event.beta; gamma = event.gamma;}
I created a simple demo of measuring the net acceleration, which can be viewed on a supported device.
Vibration API
Modern browsers allow websites to turn on the vibrator without prompting a user. Below shows how this can be done
var time = 200; /* milliseconds the vibrator turns on */window.navigator.vibrate(time);Feel what can happen with this Vibration API demo on supported devices.Proximity sensor dataCurrently, only Firefox supports proximity detection on a specific set of supported devices. Accessing proximity data looks like this:
window.addEventListener('deviceproximity', function(event) { console.log("value: " + event.value, "max: " + event.max, "min: " + event.min);});
Barometer API
No browsers currently support this, however a W3 specification is being drafted to allow javascript access to the Barometer https://dvcs.w3.org/hg/dap/raw-file/default/pressure/Overview.html
Notification API
The notification API allows for websites to notify users, even when the app is not in focus, with a picture, some text, and optional vibration. This API does require asking the user’s permission to use it. Below is an example of how to use it (tested in Firefox):
function notifyMe() { var notification = new Notification("Hi there!");}Notification.requestPermission();function spawnNotification(theBody,theIcon,theTitle) { var options = { body: theBody, icon: theIcon } var n = new Notification(theTitle,options); notifyMe();}
More information about current compatibility and future functionality can be found on the Mozilla docs.
WebRTC
WebRTC is a huge topic and perhaps should be the subject of a blogpost all to itself. It allows peer to peer communication in browser, facilitated by a central server which drops out of the equation once the connection is complete. This can be done without prompting the user. One byproduct of this is leaking of internal IP addresses, which is demonstrated by Daniel Roesler on GitHub.
Consequences
These new features allow web applications to be more powerful and ultimately replace the role of many mobile apps. As a developer and a user, it’s important to stay aware of new features and to be mindful of what a website is capable of doing to your mobile device.
One example of abusing these new features is a malicious web page using the vibration API to trick a user into thinking their mobile device is infected with malware.
Another thing to be mindful of is that accelerometer data can be used to figure out what activity an individual is performing (biking, walking, running, etc). This is well documented by a team of Stanford researchers in their paper Predicting Mode of Transport from iPhone Acceleromter Data.
Even though the W3 specifications change so rapidly, it’s always important to try and stay on top of major additions which alter the capabilities of websites.
The W3 specs get updated and expand faster than most people can keep up with them. In 2015, many browsers began adding support for mobile sensors which do not prompt users for permission to access them. The new Javascript sensor API and browser features should start raising privacy concerns.