Building a slide deck, pitch, or presentation? Here are the big takeaways:
- Mozilla is disabling several sensor APIs in an upcoming release of Firefox, citing privacy concerns.
- Firefox users who don’t want to wait to disable sensor access can go to about:config and set the device.sensors.enabled value to false.
Three APIs are slated for termination in Firefox 60, which is currently in beta and is scheduled for general release in May 2018. The APIs in question are devicelight, deviceproximity, and userproximity. Mozilla also plans to get rid of the devicemotion and deviceorientation APIs in Firefox 62, which is planned for late August 2018.
All of the affected APIs improve browsing experiences by making web apps seem more like regular mobile apps. Removing them may seem like it’s only hurting users, but Mozilla says the APIs in question are all incredibly powerful tools that can be misused.
Mobile browser API abuse: What’s the risk?
Proximity, motion, and light don’t seem to be potential security risks, but security and privacy researcher Dr Lukasz Olejnik begs to differ. He’s written several pieces about the security risks of the very sensors that Mozilla is planning to disable in future Firefox releases.
Light sensors, for example, have the potential to track user behavior, determine browsing history, duplicate web content, and even steal banking PINs. Doing so would require complicated code, and probably a bit of machine learning technology as well, but it isn’t outside the realm of possibility if Olejnik is correct.
SEE: Mobile device computing policy (Tech Pro Research)
Proximity and motion sensors can also be abused to learn about device users and their behavior, though they don’t present as great a data risk as light sensors. Proximity sensors, Olejnik said, can be used to differentiate between users and pattern user behavior and to provide details about the kinds of apps being used.
The sensors that Olejnik mentions, and Mozilla is cutting off, have been standardized by the Word Wide Web Consortium, which Olejnik points out gives every single website the ability to access their data.
Protecting your browsing
Olejnik said that Firefox users wanting to protect themselves prior to the release of Firefox 60 and 62 can perform a couple of simple steps to turn off sensor access to their browser. In the URL field, type about:config. Find the device.sensors.enabled value and set it to false, which will prevent Firefox from making use of any sensors.
Other browsers, Olejnik said, don’t utilize sensor events in the same way, so no action is needed to protect yourself.