When an app wants to access data from your smartphone's motion or light sensors, iOS and Android require that it make that capability clear. That keeps a fitness app, say, from counting your steps without your knowledge. But a team of researchers has discovered that those rules don't apply[1] to websites loaded in mobile browsers, which can often often access an array of device sensors without any notifications or permissions whatsoever.
That mobile browsers offer developers access to sensors isn't necessarily problematic on its own. It's what helps those services automatically adjust their layout, for example, when you switch your phone's orientation. And the World Wide Web Consortium standards body has codified how web applications can access sensor data. But the researchers—Anupam Das of North Carolina State University, Gunes Acar of Princeton University, Nikita Borisov of the University of Illinois at Urbana-Champaign, and Amogh Pradeep of Northeastern University—found that the standards allow for unfettered access to certain sensors. And sites are using it.
The researchers found that of the top 100,000 sites—as ranked by Amazon-owned analytics company Alexa—3,695 incorporate scripts that tap into one or more of these accessible mobile sensors. That includes plenty of big names, including Wayfair, Priceline.com, and Kayak.
"If you use Google Maps in a mobile browser you’ll get a little popup that says, 'This website wants to see your location,' and you can authorize that," says Borisov. "But with motion, lighting, and proximity sensors there isn’t any mechanism to notify the user and ask for permission, so they're being accessed and that is invisible to the user. For this collection of sensors there isn't a permissions infrastructure."
"There are limitations of the available protections for users."
Gunes Acar, Princeton University
That unapproved access to motion, orientation, proximity, or light sensor data