-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Block Acceleration/Gyroscope Tracking #1436
Comments
P.S.: It's now a JS library @ https://github.com/cagataycali/whats-the-user-doing.js for complete script-kiddy convenience. 😶 |
This is interesting indeed, and it should ask for a permission -- I don't think that blocking it entirely is a good solution. Let's conduct an experiment. Add this rule and check how many websites are really trying to exploit it:
For instance, it will ask for your permission on that test page. It's important to note, that for it to function AG needs to be able to modify pages content, therefore HTTPS filtering is mandatory (only in your browser, though). |
Let me check on Android:) |
Yeah, just add this exact rule to the AG user filter |
Works for me in Chrome |
Nope, nothing, but I'm only using WebView browsers, most LastPass. |
HTTPS filtering is disabled for LastPass by default |
Doesn't work in Firefox Klar (F-droid), either. Is that whitelisted? |
It targets Nougat, hence it does not trust user certificates: https://blog.adguard.com/en/android-nougat-release-and-what-does-it-mean-for-adguard-users/ Most major browsers made an exception for it and opted to trust user certificates (Chrome, Samsung, regular FF if you install the certificate into their cert storage). However, there're some browsers that don't do it, like Firefox Focus for instance. |
Here is the GH issue where we test it: #1304 |
I'm running Nougat, so does that mean I'm SOL re: HTTPS-filtering? I'd be ok w/ that, anyway, but just to try this POC-fix, I've enabled it. |
Mm? Can't parse it:) |
SOL = S*** Outta Luck.... Sorry. 😅🤬 I mean, Nougat can't HTTPS-filter, then? |
It can, but the app dev should allow it by adding special "network security configuration". Here is a list of major browsers supporting it:
|
Meh, I'll just turn HTTPS-filtering off. But if the POC-fix works, maybe include that in the experimental filters & find some beta testers to try it on mobile? |
I have it in the user filter myself, we'll see if anybody tries to exploit it. |
Here's how it looks like: |
Does it actually grant/deny the permission? The JS seems to just log the decision. |
It does |
Here's a non-HTTPS site for which I get the function prompt: http://www.islandpacket.com/opinion/opn-columns-blogs/david-lauderdale/article135539793.html How do I confirm the block? I don't even see anything in the log: |
|
Changing page layout doesn't need gyro - 1 can get screen/window dimensions to do that. But blocking them makes me happier, anyway. |
It detects the portrait<->album transitions, nothing serious really. |
Just FYI & OT: If ever translating the change from & to portrait orientation, the other 1 is called landscape in the US. |
Folks @ Princeton U. have juiced this up (like on steroids!) & made a patent-pending version, it seems: https://www.princeton.edu/news/2017/11/29/phones-vulnerable-location-tracking-even-when-gps-services Whaddy'all think, @AdguardTeam? |
Not that we can do anything with that :( |
Another example for the original issue: Any page @ |
NB: I recommend doing this link on a private browser/tab, or 1 that all tracking data can be wiped, as article accesses are limited monthly. Yet another fine example @ http://www.bloomberg.com/news/features/2018-09-20/making-marines-into-macgyvers |
@ameshkov A further idea for this: Maybe have a toggle/explanation for this in the Stealth module/tab, which just adds your rule above, since that still works fine. Y'all could even default it off. P.S.: I've added links to Princeton U.'s paper re: their supercharged version of this. |
https://github.com/thewhiteh4t/seeker has recently been promoted on GitHub's Explore, which seems to be combo of this & #1477. |
N.B.: I'm really @ a loss as to where to place this RFE (or if AG can/should do anything @ all about it). Also, the amount of accessible different mechanisms available to track anything & everything 1 does grows increasingly ridiculous! 😤
It's now possible to track what 1 does in the physical realm using simple JavaScript & an overly permissive engine.
Steps to reproduce
POC: https://krausefx.github.io/user.activity
Repo: https://github.com/KrauseFx/user.activity
Code: https://github.com/KrauseFx/user.activity/blob/master/index.html
Expected behavior
In theory, this should require a separate permission to do, or @ least a prompt before using the gyro sensors.
Actual behavior
No prompt nor block. 😞
Your environment
The text was updated successfully, but these errors were encountered: