0

By running the code below I have proven that Firefox on Android continues to track the user's location even when the phone is off and/or Firefox has been moved to the background and another App is in the foreground. How can the user tell that this espionage is occurring?

Should not a privilege/user-approval be required for this?

Why is Firefox the only browser with this vulnerability?

<!DOCTYPE html>
<html>
<body>

<p>Wait 5 secs.</p><br />

<p id="out"></p>

<script>

 function success(position){

    var x = document.getElementById("out");
    x.innerHTML += position.timestamp+" GPS "+Date() + "<br />";

 }

 function failure(error){
    var x = document.getElementById("out");
    x.innerHTML += error+" Error "+Date() + "<br />";
 }

document.getElementById("out").innerHTML = "Start "+Date()+"<br />";

    if (document.addEventListener){
        document.addEventListener("visibilitychange", function() {
                var x = document.getElementById("out");   
                x.innerHTML +=  document.visibilityState +Date() + "<br />";
                })
    } else {
        document.attachEvent("onvisibilitychange", function() {
                var x = document.getElementById("out");   
                x.innerHTML +=  document.visibilityState +Date() + "<br />";
                })
    }


setTimeout(function(){ 
                var x = document.getElementById("out");
                x.innerHTML += "Timeout "+Date() + "<br />";
                }, 5000);

trackerId = navigator.geolocation.watchPosition(success, failure, {
            enableHighAccuracy: true
        });

</script>

</body>
</html>
Richard Maher
  • 41
  • 1
  • 9

1 Answers1

0

The Window.navigator read-only property returns a reference to the Navigator object......Its a JavaScript Object.......

Most browser will give a pop-up asking the user permission to allow the page to have access to user's geolocation when the script is run. Unless you have already allowed it. Use Menu > Settings > Clear private Data to clear site's data.

j4rey
  • 2,582
  • 20
  • 34
  • Yes but that is the same for all browsers that wish to access users' location in the foreground. IMHO a user has a reasonable expectation that when the phone is off or they're making a call and now Firefox is in the background that GeoLocation tracking will cease. Do you not agree?
    Is Firefox wrong or all the other browsers wrong?     – Richard Maher May 26 '16 at 06:29
  • As far as I understand. javascript performance while the browser is in the background is not 100% stopped but timers and timeouts are common and overall javascript performance is unreliable but I'm pretty sure that switching app from foreground to background does not instantly stop all scripts or force them to stop That is why when you background the browser your scripts still run for a time at least By all accounts different browsers have slightly different javascript implementations and Safari, Chrome and Opera all behave differently in terms of javascript persistence when backgrounded – j4rey May 26 '16 at 06:47
  • I have provided the script/page that can be run with any OS and browser that you wish. It is deterministic. Firefox continues in background and no one else does. Please have a go. Some may continue while browser is in FG but phone is off but it has been my observation that FF is the only browser to continue in the BG. Can you show me Firefox running for "a time" and then stopping? Please let's confine ourselves to the demonstrable facts. – Richard Maher May 26 '16 at 06:52
  • Chrome terminated this exact behaviour due to privacy and security concerns. Not to mention battery performance: - https://bugs.chromium.org/p/chromium/issues/detail?id=506435 – Richard Maher May 30 '16 at 00:26