On Fri, Sep 22, 2017 at 8:39 AM, Ehsan Akhgari <[email protected]> wrote:
> Hi everyone, > > A couple of weeks ago, this proof of concept attack circled its way around > Twitter: > > https://krausefx.github.io/whats-the-user-doing/ > > This simple web app, once loaded on mobile, with a disturbing degree of > accuracy, can tell what the user is doing with their phone, for example, > using it while walking, lying in bed, etc. The way it does this is through > listening to deviceorientation/devicemotion events as defined in < > https://www.w3.org/TR/orientation-event/>. > I just tried this web app and I have to say I'm not very impressed. It's just taking a wild guess based on some smoothed out orientation data, the heuristic is not very advanced[0]. However, I guess it may be possible to craft a more clever analyzer using ML or something, so... > > We recently discussed an intent to remove the rest of the sensor APIs we > currently support, besides these two: <https://groups.google.com/d/ > msg/mozilla.dev.platform/45XApRxACaM/Fc3XxHgzCAAJ>. These two events are > considered to be useful for web applications that want to create > experiences that rely on being able to tell the orientation of the device, > for example. > > I would like to start a discussion about how to address the recently > surfaced privacy concerns. There are several things that we can do which > come to mind: > > * Restrict dispatching these events to secure contexts. That way we > don't potentially leak this information to MITM attackers on the network. > This seems fine as long as localhost is also allowed. > * Apply some of the precautions recommended in < > https://www.w3.org/TR/2016/CR-orientation-event-20160818/ > #security-and-privacy>, for example, refrain from displatching these > events inside invisible pages or background pages. Also, only fire them in > top-level browsing contexts and same-origin nested browsing contexts in > order to avoid leaking this information to third-party iframes. > We already block these events for cross-origin iframes. Turning them off for background pages sounds good if we don't already do it. This would save battery and largely mitigate the kind of privacy attack above. > And limit the frequency of the event dispatches to once per refresh cycle > maximum. > What's the reason for this? I don't know for sure, but it may be necessary for things like AR/VR to have higher resolution than that. James [0] https://github.com/KrauseFx/whats-the-user-doing/blob/master/index.html#L69 _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
