Nov 09, 2021 16:00:00

Pointed out that the app can collect user activity, heart rate, position, voice data, etc. using the iPhone accelerometer

The high-performance smartphones and smart watch to detect the inclination or acceleration of the device

accelerometer is mounted is, are applications such as pedometer and fall detection function. However, the information that can be collected by the accelerometer is wider than people imagine, and the iOS app can access the data collected by the accelerometer of iPhone and Apple Watch without the user's permission, security researcher Tommy Mysk He is ringing the alarm bell.

iPhone Apps Can Tell Many Things About You Through the Accelerometer | Mysk
https://www.mysk.blog/2021/10/24/accelerometer-ios/

The iPhone is equipped with an accelerometer and gyroscope to detect motion data, and Mysk collectively calls these sensors 'accelerometers' for convenience. Although there are many apps that use accelerometer data, users rarely realize that this app is collecting accelerometer data. This is because the app requires explicit user consent to access location data, Bluetooth, cameras, etc., while access to accelerometer data does not require explicit permission.

Apps can only access accelerometer data when they are active in the foreground, and apps running in the background cannot access the data. However, Mysk points out that the amount of personal information that apps can collect from accelerometer data is diverse and can threaten user privacy.

The 'possible scenarios for data collection through accelerometers' pointed out by Mr. Mysk are as follows.

◆ Exercise and activities
Accelerometer data reflects how the smartphone is held and moved, so information such as whether the user using the app is lying, sitting, walking, or cycling. You can know. In addition, although the iPhone restricts the application from accessing the pedometer,

there is also a highly accurate algorithm that estimates the number of steps from the accelerometer, so it is also possible to check the number of steps of the user.

In addition, the iPhone also has a barometric pressure sensor that measures barometric pressure and altitude, allowing the app to access barometric pressure sensor data as well as accelerometers without explicit permission. As a result, you can measure altitude and barometric pressure while using the app, and know if the user is on a bus, train, or plane. that's right.

◆ Heart rate / respiratory rate
Studies have shown that accelerometers can detect minute vibrations transmitted from the hands and body of a user holding an iPhone, and that this data can be used to estimate heart rate. In other words, the iOS app may be able to detect the heart rate while using the app by collecting accelerometer data. Research has also shown that accelerometers can be used to measure respiratory rate as well as heart rate, making it possible to diagnose specific illnesses that can be inferred from respiratory rate, Mysk said.

◆ Accurate location information
Accelerometer data does not contain location information, but Mysk believes that accurate location information can be inferred using vibration patterns that are specific to a particular environment. For example, if a person named 'A' opens an app with location sharing turned off and is on a bus, the app will not know A's location. On the other hand, if the person 'B' who has the same app with location sharing turned on is on the same bus, the app can know the location information of B.

If the app collects accelerometer data from smartphones A and B, the app will know that the two smartphones have a common vibration pattern. As a result, the app judges that 'two smartphones are in the same place', and it is possible to know the accurate location information of A who has turned off location information sharing.

◆ Audio recording
The sound waves emitted from the telephone speaker become vibrations and are transmitted to the smartphone, and the accelerometer also detects a unique vibration pattern. A 2019

study reported that it was possible to reconstruct voice data from accelerometer data, and Mysk points out that it may be possible to collect audio recordings of calls made while opening the app. bottom.

In fact, Mysk investigated whether accelerometer data was read for multiple apps using the option to view the iPhone system log in Apple's integrated development environment, Xcode. As a result, it was found that the accelerometer data is collected by apps such as Facebook, Facebook Messenger, Instagram, WhatsApp, Signal, Slack, Telegram, TikTok, Threma, Twitter, WeChat. Although multiple apps collected data only when it was related to a specific function, Facebook seems to have been collecting data all the time even if the function that seems to be related to the accelerometer was turned off.

Mysk points out that accelerometer data can be transformed into a variety of personal information using appropriate algorithms. From the perspective of protecting personal information, he said that access to accelerometers should also be protected.