The sensor that lets your phone know which way the screen is oriented also—thanks to minute manufacturing variations—emits a unique data “fingerprint” that could allow your phone to be tracked, even if all other privacy settings are locked down, researchers say.
In addition to governing basic things like screen orientation, accelerometer data is widely used by apps such as pedometers and mobile games. Meanwhile, many apps often rely on advertising, which has led advertisers to search for ways to track users and their Web habits.
Even if you don’t allow apps to see your personal data or location, just the raw movements of the phone—which can be measured without permission—can betray the phone’s unique identity and track it over time, says Romit Roy Choudhury, an associate professor at the University of Illinois who cowrote a paper with colleagues at the University of South Carolina that describes the phenomenon. “There has been a lot of work to catch the leakage of ID information from phones,” he says. “We are now saying that accelerometer data going out of the phone can be treated as an ID.”
Accelerometers use a technology called micro-electro-mechanical systems, or MEMS. In the case of an accelerometer, tiny bars of metal move between other metal bars in response to motion, changing electrical capacitance and indicating 3-D movement. Using this information, a smartphone can determine a change in screen orientation, or translate physical movements to a character in a game.
But the underlying data varies minutely from accelerometer to accelerometer, the researchers found. After testing 80 accelerometer chips—plus 25 Android phones and two tablets that used accelerometers—the researchers could pick out the fingerprint with 96 percent accuracy.
Janne Lindqvist, a mobile security researcher at the Winlab at Rutgers University, says the work is novel and important. “Accelerometers still do not require ‘permissions’ to be enabled,” he says. “So they can be used stealthily. I think this is great work, and points out yet another reason why smartphones shouldn’t allow easy access to accelerometer data.”
Indeed, earlier research had shown that accelerometer data can also be used to infer passwords based on the taps people make on their phones.
No regulations or industry practices mandate that users must give affirmative permission before an app can access accelerometer motion data (in contrast, people must give permission before giving their precise location data from GPS chips).
Choudhury said his team was working on ways to add noise to the accelerometer data in a way that obscures the fingerprint, while still making the basic position data accurate. “We believe that some of this can be done for most of the applications, except the ones that you need very precise details,” he says.
Other sensors in smartphones—such as gyroscopes, magnetometers, and microphones—might also have similar electronic fingerprints. “Collection of such fingerprints from other sensors could allow a device to be tracked anywhere and for long periods,” Choudhury says.