I never pay attention to the details of security fixes. I don’t know anyone that does! I appreciate that companies like Apple are taking care to constantly fight the battle against malicious code or behavior and I take it for granted. This is a company that stands for privacy (on billboards, at least) — I can definitely trust Apple to make the right call when keeping my phone and data “safe.”
iOS 12.2 includes the following security fix under the label Safari:
Impact: A website may be able to access sensor information without user consent
Description: A permissions issue existed in the handling of motion and orientation data. This issue was addressed with improved restrictions.
CVE-2019–8554: an anonymous researcher
In other words, motion data is no longer on by default in Safari. This is a big deal — a major ability of the most used mobile browser in the US no longer works. Apple didn’t make it easy to enable motion sensors, unlike the simple permission dialogues that pop up to enable other sensors, such as “Safari would like to access the camera.” No, this feature is buried in settings, in a place that a majority of users will never visit.
The main concept is that websites can grab sensor data without alerting the user. It is interesting that in 2019 this has become a security issue, especially since adding motion sensors to Safari happened in 2010 and received much fanfare.
Yes, that’s right, nine years ago these sensors were enabled. Is this Apple admitting that there was a privacy flaw in Safari for almost a decade?
The security and privacy issue is a bit of an unknown. There is a concept of sensor fingerprinting a particular device over a short amount of time. This technique could, in theory, identify a unique user on the web based on similar patterns of use or discrepancies on the phone. One issue with this approach is that the sensors do not work when the website itself is not active, meaning that navigating to another tab or dismissing the browser would stop the data gathering. A coordinated effort across many popular websites could make this a viable security threat, but that’s fairly improbable. There is also research that conclude passwords or pins can be stolen using motion sensors, but again, this assumes that the malicious site is active at the time.
The main motion sensors in modern iPhones are the accelerometer and the gyroscope. These allow for Wii-like controls from simply reorienting ones phone from Portrait to Landscape, to having low-latency, high resolution 1-to-1 tracking of the orientation and tilt of the phone. Many popular iOS games, like Tilt to Live, or built-in apps, like the Compass (which has an incredibly useful level!), rely on these sensors as the main mechanic. Beyond these applications, Augmented Reality (AR) and Virtual Reality (VR) experiences require motion data to create a sense of presence and as a practical means for identifying the user’s focus. The AR and VR market is gaining momentum while motion-based games like Tilt to Live have fallen out of fashion.
There’s another reason that ESC uses the web — our activations require “instant join” to work. We build games and experiences for 10–100,000 simultaneous participants. Sometimes we have a captive audience, but mainly we’re up at a sports event with just about 90 seconds to offer everyone in the crowd the chance to play together on the big screen. Downloading an app is totally impractical at that point. Our players join by simply visiting a website, immediately becoming part of the action.
The flagship title of our massive location-based entertainment platform is called Shake It Up! I bet you can guess where this is going… Not only did Apple put a hurdle in front of our ability to use motion as a main method of engaging thousands of users simultaneously, the company hampered AR and VR web apps with similar aspirations. Samsung’s “Samsung Within,” which allows users to explore the night sky using the phone via web, no longer works as intended — substituting touch for motion which is far less immersive or user friendly.
It is hard to understand the reasoning behind the choice to bury the setting instead of giving the user an in-line prompt. Changes like this hamper our experiences and take essential tools away, or at least hide them under the fold. ESC can easily shift focus to non-motion-based games (not ideal all the time!), but AR and VR apps cannot.
I fear that Safari may only get worse as web-based apps get better since bypassing the App Store is a real concern to Apple. As such, I can only recommend alternate browsers for those that want a better web experience, one in which innovation isn’t stifled in lip service to privacy.