Javascript Sensor API and New Browser Features Raise Privacy Concerns

The W3 specs get updated and expand faster than most people can keep up with them. In 2015, many browsers began adding support for mobile sensors which do not prompt users for permission to access them. The new Javascript sensor API and browser features should start raising privacy concerns.

A few of these are listed below:

Accelerometer and gyroscope data

Modern browsers now support direct access to the accelerometer and gyroscope. This is done as follows:

		window.addEventListener('devicemotion', function(event) {    var x, y, z, absolute, alpha, beta, gamma;    x = event.accelerationIncludingGravity.x;    y = event.accelerationIncludingGravity.y;    z = event.accelerationIncludingGravity.z;    absolute = event.absolute;    alpha    = event.alpha;    beta     = event.beta;    gamma    = event.gamma;}	

I created a simple demo of measuring the net acceleration, which can be viewed on a supported device.

Vibration API

Modern browsers allow websites to turn on the vibrator without prompting a user. Below shows how this can be done

		var time = 200; /* milliseconds the vibrator turns on */window.navigator.vibrate(time);Feel what can happen with this Vibration API demo on supported devices.Proximity sensor dataCurrently, only Firefox supports proximity detection on a specific set of supported devices. Accessing proximity data looks like this:	

		window.addEventListener('deviceproximity', function(event) {  console.log("value: " + event.value, "max: " + event.max, "min: " + event.min);});	

Barometer API

No browsers currently support this, however a W3 specification is being drafted to allow javascript access to the Barometer https://dvcs.w3.org/hg/dap/raw-file/default/pressure/Overview.html

Notification API

The notification API allows for websites to notify users, even when the app is not in focus, with a picture, some text, and optional vibration. This API does require asking the user’s permission to use it. Below is an example of how to use it (tested in Firefox):

		function notifyMe() {    var notification = new Notification("Hi there!");}Notification.requestPermission();function spawnNotification(theBody,theIcon,theTitle) {  var options = {      body: theBody,      icon: theIcon  }  var n = new Notification(theTitle,options);  notifyMe();}	

More information about current compatibility and future functionality can be found on the Mozilla docs.

WebRTC

WebRTC is a huge topic and perhaps should be the subject of a blogpost all to itself. It allows peer to peer communication in browser, facilitated by a central server which drops out of the equation once the connection is complete. This can be done without prompting the user. One byproduct of this is leaking of internal IP addresses, which is demonstrated by Daniel Roesler on GitHub.

Consequences

These new features allow web applications to be more powerful and ultimately replace the role of many mobile apps. As a developer and a user, it’s important to stay aware of new features and to be mindful of what a website is capable of doing to your mobile device.

One example of abusing these new features is a malicious web page using the vibration API to trick a user into thinking their mobile device is infected with malware.

Another thing to be mindful of is that accelerometer data can be used to figure out what activity an individual is performing (biking, walking, running, etc). This is well documented by a team of Stanford researchers in their paper Predicting Mode of Transport from iPhone Acceleromter Data.

Even though the W3 specifications change so rapidly, it’s always important to try and stay on top of major additions which alter the capabilities of websites.

The W3 specs get updated and expand faster than most people can keep up with them. In 2015, many browsers began adding support for mobile sensors which do not prompt users for permission to access them. The new Javascript sensor API and browser features should start raising privacy concerns.

icon-praetorian-

See Praetorian in Action

Request a 30-day free trial of our Managed Continuous Threat Exposure Management solution.

About the Authors

Catch the Latest

Catch our latest exploits, news, articles, and events.

Ready to Discuss Your Next Continuous Threat Exposure Management Initiative?

Praetorian’s Offense Security Experts are Ready to Answer Your Questions