Block Acceleration/Gyroscope Tracking

[TPS]

N.B.: I'm really @ a loss as to where to place this RFE (or if AG can/should do anything @ all about it). Also, the amount of accessible different mechanisms available to track anything & everything 1 does grows increasingly ridiculous! 😤

It's now possible to track what 1 does in the physical realm using simple JavaScript & an overly permissive engine.

Steps to reproduce

POC: https://krausefx.github.io/user.activity
Repo: https://github.com/KrauseFx/user.activity
Code: https://github.com/KrauseFx/user.activity/blob/master/index.html

Expected behavior

In theory, this should require a separate permission to do, or @ least a prompt before using the gyro sensors.

Actual behavior

No prompt nor block. 😞

Your environment

• Adguard version: 2.10.56 Amazon ß
• Adguard filtering mode: VPN
• Device model: (e.g. Google Pixel) Nextbit → Razer Robin
• Operating system and version: Android 7.1.1
• Rooted or not? Not
• Any other apps that can start VPN/Antiviruses/Cleaners etc. installed? N/A

[TPS]

P.S.: It's now a JS library @ https://github.com/cagataycali/whats-the-user-doing.js for complete script-kiddy convenience. 😶

[ameshkov]

This is interesting indeed, and it should ask for a permission -- I don't think that blocking it entirely is a good solution.

Let's conduct an experiment.

Add this rule and check how many websites are really trying to exploit it:

#%#(function(){var b=null,e=["devicemotion","deviceorientation"],c=window.addEventListener;window.addEventListener=function(a,d){-1===e.indexOf(a)?c(a,d):(null===b&&(b=confirm("Page tries to access your device's gyro data. Do you grant the permission?")),b?c(a,d):console.log("Denied access to "+a))}})();

For instance, it will ask for your permission on that test page.

It's important to note, that for it to function AG needs to be able to modify pages content, therefore HTTPS filtering is mandatory (only in your browser, though).

[ameshkov]

Let me check on Android:)

[ameshkov]

AG user filters?

Yeah, just add this exact rule to the AG user filter

[ameshkov]

Works for me in Chrome

[TPS]

Nope, nothing, but I'm only using WebView browsers, most LastPass.

[ameshkov]

HTTPS filtering is disabled for LastPass by default

[TPS]

Doesn't work in Firefox Klar (F-droid), either. Is that whitelisted?

[ameshkov]

It targets Nougat, hence it does not trust user certificates: https://blog.adguard.com/en/android-nougat-release-and-what-does-it-mean-for-adguard-users/

Most major browsers made an exception for it and opted to trust user certificates (Chrome, Samsung, regular FF if you install the certificate into their cert storage).

However, there're some browsers that don't do it, like Firefox Focus for instance.

[ameshkov]

Here is the GH issue where we test it: #1304

[TPS]

I'm running Nougat, so does that mean I'm SOL re: HTTPS-filtering? I'd be ok w/ that, anyway, but just to try this POC-fix, I've enabled it.

[ameshkov]

SOL re: HTTPS-filtering

Mm? Can't parse it:)

[TPS]

SOL = S*** Outta Luck.... Sorry. 😅🤬 I mean, Nougat can't HTTPS-filter, then?

[ameshkov]

SOL = S*** Outta Luck.... Sorry. =) I mean, Nougat can't HTTPS-filter, then?

It can, but the app dev should allow it by adding special "network security configuration".

Here is a list of major browsers supporting it:

Chrome
Samsung
Firefox (you'll need to tap "install certificate into Firefox" in AG settings)
Opera
Dolphin
Yandex

[TPS]

Meh, I'll just turn HTTPS-filtering off. But if the POC-fix works, maybe include that in the experimental filters & find some beta testers to try it on mobile?

[ameshkov]

I have it in the user filter myself, we'll see if anybody tries to exploit it.

[ameshkov]

Here's how it looks like:
https://uploads.adguard.com/up04_2xrsf.png

[TPS]

Does it actually grant/deny the permission? The JS seems to just log the decision.

[ameshkov]

It does

[TPS]

Here's a non-HTTPS site for which I get the function prompt:

http://www.islandpacket.com/opinion/opn-columns-blogs/david-lauderdale/article135539793.html

How do I confirm the block? I don't even see anything in the log:
adguard_logs_1709_2248.zip

[TPS]

Here's another: http://m.starwoodhotels.com/westin/property/area/transportation.html?propertyID=1415&language=en_US

[ameshkov]

islandpacket.com uses it for legit purposes (changes the page layout on device orientation change).

m.starwoodhotels.com -- not so clear here, the script is heavily obfuscated, I can't understand why does it need it yet.

[TPS]

Changing page layout doesn't need gyro - 1 can get screen/window dimensions to do that. But blocking them makes me happier, anyway.

[ameshkov]

It detects the portrait<->album transitions, nothing serious really.

[TPS]

Just FYI & OT: If ever translating the change from & to portrait orientation, the other 1 is called landscape in the US.

[TPS]

Folks @ Princeton U. have juiced this up (like on steroids!) & made a patent-pending version, it seems:

https://www.princeton.edu/news/2017/11/29/phones-vulnerable-location-tracking-even-when-gps-services
↓
https://doi.org/10.1109/TMSCS.2017.2751462
↓
https://drive.google.com/file/d/1HYHM6A3htTv9V3eMs8zEkZK3ILmnk3Vp/view

Whaddy'all think, @AdguardTeam?

[ameshkov]

Not that we can do anything with that :(

[TPS]

Another example for the original issue: Any page @

http://www.star-telegram.com/

[TPS]

NB: I recommend doing this link on a private browser/tab, or 1 that all tracking data can be wiped, as article accesses are limited monthly.

Yet another fine example @ http://www.bloomberg.com/news/features/2018-09-20/making-marines-into-macgyvers

[TPS]

@ameshkov A further idea for this: Maybe have a toggle/explanation for this in the Stealth module/tab, which just adds your rule above, since that still works fine. Y'all could even default it off.

P.S.: I've added links to Princeton U.'s paper re: their supercharged version of this.

[TPS]

https://github.com/thewhiteh4t/seeker has recently been promoted on GitHub's Explore, which seems to be combo of this & #1477.