Image for post
Image for post
Are motion sensors really that dangerous?

I never pay attention to the details of security fixes. I don’t know anyone that does! I appreciate that companies like Apple are taking care to constantly fight the battle against malicious code or behavior and I take it for granted. This is a company that stands for privacy (on billboards, at least) — I can definitely trust Apple to make the right call when keeping my phone and data “safe.”


On March 25th, 2019, Apple issued iOS 12.2, an update that included new Animoji, Apple News+, an icon that says 5GE that’s not technically 5G, and a bunch of security fixes.

iOS 12.2 includes the following security fix under the label Safari:

Impact: A website may be able to access sensor information without user consent

Description: A permissions issue existed in the handling of motion and orientation data. This issue was addressed with improved restrictions.

CVE-2019–8554: an anonymous researcher

In other words, motion data is no longer on by default in Safari. This is a big deal — a major ability of the most used mobile browser in the US no longer works. Apple didn’t make it easy to enable motion sensors, unlike the simple permission dialogues that pop up to enable other sensors, such as “Safari would like to access the camera.” No, this feature is buried in settings, in a place that a majority of users will never visit.

Image for post
Image for post
An in-the-moment pop up message that doesn’t break the experience

The main concept is that websites can grab sensor data without alerting the user. It is interesting that in 2019 this has become a security issue, especially since adding motion sensors to Safari happened in 2010 and received much fanfare.

Image for post
Image for post

Yes, that’s right, nine years ago these sensors were enabled. Is this Apple admitting that there was a privacy flaw in Safari for almost a decade?

The security and privacy issue is a bit of an unknown. There is a concept of sensor fingerprinting a particular device over a short amount of time. This technique could, in theory, identify a unique user on the web based on similar patterns of use or discrepancies on the phone. One issue with this approach is that the sensors do not work when the website itself is not active, meaning that navigating to another tab or dismissing the browser would stop the data gathering. A coordinated effort across many popular websites could make this a viable security threat, but that’s fairly improbable. There is also research that conclude passwords or pins can be stolen using motion sensors, but again, this assumes that the malicious site is active at the time.

The main motion sensors in modern iPhones are the accelerometer and the gyroscope. These allow for Wii-like controls from simply reorienting ones phone from Portrait to Landscape, to having low-latency, high resolution 1-to-1 tracking of the orientation and tilt of the phone. Many popular iOS games, like Tilt to Live, or built-in apps, like the Compass (which has an incredibly useful level!), rely on these sensors as the main mechanic. Beyond these applications, Augmented Reality (AR) and Virtual Reality (VR) experiences require motion data to create a sense of presence and as a practical means for identifying the user’s focus. The AR and VR market is gaining momentum while motion-based games like Tilt to Live have fallen out of fashion.

Simultaneously, web browsers have become more and more sophisticated. Contemporary javascript libraries such as React and Redux allow for full applications to exist on the web. That’s right: essentially anything that you can build as an app for the App Store is possible to build for the web. This opens up a major opportunity for companies (like ESC Games) that take a platform agnostic view of the mobile ecosystem. Instead of publishing several flavors of apps to various storefronts in order to reach a wide audience, we can simply post the app ourselves to the web, avoiding any revenue sharing or cryptic approval processes along the way.

There’s another reason that ESC uses the web — our activations require “instant join” to work. We build games and experiences for 10–100,000 simultaneous participants. Sometimes we have a captive audience, but mainly we’re up at a sports event with just about 90 seconds to offer everyone in the crowd the chance to play together on the big screen. Downloading an app is totally impractical at that point. Our players join by simply visiting a website, immediately becoming part of the action.

Image for post
Image for post
Fans playing Shake It Up! at a Seton Hall basketball game

The flagship title of our massive location-based entertainment platform is called Shake It Up! I bet you can guess where this is going… Not only did Apple put a hurdle in front of our ability to use motion as a main method of engaging thousands of users simultaneously, the company hampered AR and VR web apps with similar aspirations. Samsung’s “Samsung Within,” which allows users to explore the night sky using the phone via web, no longer works as intended — substituting touch for motion which is far less immersive or user friendly.

It is hard to understand the reasoning behind the choice to bury the setting instead of giving the user an in-line prompt. Changes like this hamper our experiences and take essential tools away, or at least hide them under the fold. ESC can easily shift focus to non-motion-based games (not ideal all the time!), but AR and VR apps cannot.

I fear that Safari may only get worse as web-based apps get better since bypassing the App Store is a real concern to Apple. As such, I can only recommend alternate browsers for those that want a better web experience, one in which innovation isn’t stifled in lip service to privacy.

Written by

Creative Director for ESC Games, with a focus on making projects awesome, local multiplayer experiences, live interactions, large groups, kids, and education.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store