AFAIK gyroscope/accelerometer data aren't gated behind a permission prompt on ios or android, so it's not something you can "turn off".

While your app is running, this is true, but if the tracking is limited to times when the app is running, the value is going to be quite limited. They specifically mention getting information about whether you are a runner or riding the subway. If you are out running, you don't have an app open, your phone is in your pocket. I'm pretty sure on the iPhone, getting this kind of data while your app is in the background requires access to the health data which is behind a permissions dialog.

This is why I'm frustrated about the article. It doesn't say how the data is gathered or even really hint at it. The implication is it's a ubiquitous, unavoidable problem, but I don't think that's the case.

I remember reading the privacy policy of Snapchat and refusing to install it because they explicitly mentioned accelerometer data.

I’m pretty sure they (and a lot of other scummy companies) are using this data to track location and/or relationships between users based on correlated accelerometer data.

If you are in a moving vehicle, the accelerometer patterns would be very similar and would reflect the movement/vibrations of the vehicle, which can be matched similarly to how Shazam is able to identify songs based on partial and noisy audio waveforms.

If you have one user whose location and accelerometer pattern is known and then you have another user whose location isn’t known but their accelerometer pattern matches the first user’s one in the same timeframe (with some margin of error to account for clock skew) you can infer that the second user is in the same vehicle (thus location) as the first one. Multiple measurements over time would eliminate any potential errors.

Man, this is rough.

What you describe is totally plausible, and it's insanely frustrating that there are likely smart people who've done this instead of contributing to advancing science, medicine, or at least doing something that doesn't actively hurt society

Yes, and they were paid to do it by people who got rich abusing public trust in a thousand and one ways just like this.

Chat apps and social media apps are particularly bad at spilling piles of tracking data in general. If you are worried about getting tracked, stay away from social media. iMessage or straight SMS leave some trace, but it's far less than what you leave behind with services like Snapchat.

Obviously people are not going to install an app that is only intended to track them.

However, app makers will put this tracking company's SDK into their app so that they can get a hold of the generated data. But that data is then also shared to the tracking company, and used to build up a complete profile about you.

And, of course, you just know that it'll come bundled in shitty Android ROMs as some darn home screen widget that you can't get rid of, so it'll constantly be "running".

If you press the sleep/wake button while an app is open, is that considered sending an app to the background?

Is it any different from going to the Home screen first prior to pressing the sleep/wake button?

On the iPhone, it's pretty straight forward:

willResignActiveNotification:

"An app is active when it is receiving events. An active app can be said to have focus. It gains focus after being launched, loses focus when an overlay window pops up or when the device is locked, and gains focus when the device is unlocked."

https://developer.apple.com/documentation/uikit/uiapplicatio...

Less clear is if you have 2 or 3 apps open on an iPad.

Not sure on Android, but I suspect it's similar. Because of battery life, OS makers don't let apps keep running after the display is off.

> OS makers don't let apps keep running after the display is off

I don't mean to disagree, but how would the app send notifications to you while your display is off ?

From your quote it seems that active app =/= app that has focus.

First, I was a little vague. When I said OS makers, I was referring only to iOS and Android, Mac, Linux and Windows apps are always active when in the background.

As for how they receive notifications while in the background. On iOS (and I'm sure Android is similar), apps register notification events with the OS and the OS sends a notification to the app for that specific event. For example you can register a specific number geographical areas and get notified when a user enters or leaves those areas. Your app is still in the background, but you can perform some small task in response to that event[1].

Your app can also get push notifications over the network or timed notification while in the background. For example a podcast app might get signaled that a new episode is ready and download that episode.

Backgrounded apps can also pop notifications which put alerts up and trigger a sound/ vibration. That's how most notifications get done.

The type of notifications you can get is pretty limited though and the accelerometer is not one of the things you can listen for.

There are also a few specific things apps can do while in the background[2] which generally prevents them from being killed. Media playback is the big one. But again, access to notifications and events like the accelerometer data is quite limited. I believe fitness apps might have access to accelerometer data while in the background, but I'm not sure.

[1] This has been abused and it's been a big game of cat and mouse.

[2] This has also been abused.

The perhaps that needs to change, ASAP.

Apps shouldn't really have access to anything beyond the very basics without explicit permission.

At some point, the experience becomes an endless pile of permissions dialogs. We already see this and see complaints about it.

I think this article is a bit alarmist and overstates the issue. So long as much of this data is limited to foreground apps and background activities are strictly limited, the issue is not nearly as bad as they suggest and as I mentioned previously, I find it unlikely some of the specific abuses they mention are even likely to happen.

> At some point, the experience becomes an endless pile of permissions dialogs.

Surely just one set at install of the app?

My coffee loyalty app wants access to my contacts and a bunch of sensors? Nope.

I got the impression the article was about a product that alreadh exists!

No, I think Apple needs to start auditing apps and deciding for users if these permissions are reasonable and banning apps that use sensor data maliciously like this. People choose Apple products because they want apple to make these reasonable privacy choices on their behalf.

At install is really not an ideal experience for most apps, unless the feature is crucial to the functioning of the app (eg. camera access for a camera app).

The right time to ask for permission is when it's used. For example in iOS 14, Signal asks permission to access devices on my local network to sync over Wi-Fi at first launch. I don't want sync over Wi-Fi, so I said no, but many people might just say yes in order to start using the app.

> Apps shouldn't really have access to anything beyond the very basics without explicit permission.

Now you just need to have everyone agree on what the "basics" are.

CPU, memory, screen, sound, touchscreen input.

Want sensors, system info, literally anything else? Ask.

That will just turn into another cookie prompt where everyone just clicks the thing that will make the annoying popup go away.

Then we'll need more legislative measures to stop the intrusive behaviour.

No, because at least on iOS the pop-up has a button for allow and a button for deny and the app must function wether you allow or deny, it can only disable related functionality.