How websites can use your camera when your phone is locked

Imagine you’re using your phone with one of the popular web-based conferencing apps, like Google Meets or Jitsi, and you get distracted by somebody nearby that needs your attention. It’s important, private and urgent. It puts you in a hurry, so you say “I’ve got to go”, you put the phone down, lock it and start talking, but you forget to exit the app.

Should your locked phone be able to show everyone on the call what’s happening? Should they be able to see or hear your urgent, private conversation?

We hope the answer’s pretty obvious: no, they shouldn’t. But if you’re using Firefox for Android, then yes, they can.

This surprising fact first came to our attention just a few hours ago, when a group of users who were just as alarmed as we were took to Y Combinator’s Hacker News to voice their concerns.

So we decided to take a look and our analysis confirmed the situation first reported to Firefox a year ago: if you put the Firefox browser into the background, or lock your phone, while you’re on a website using WebRTC, the phone will carry on sending your audio and video feeds to the website you were using.

So why hasn’t it been fixed yet? Well, perhaps because there are some situations where carrying on a call while the browser is in the background would be useful. If you were using Google Meets on your laptop and you wanted to check your email or calendar at the same time, you wouldn’t expect your browser to drop your call. Your phone probably shouldn’t either.
What everyone seems to agree on though, is that your camera should never record you when your phone is locked.
When Android Pie was released, it was widely believed that the camera and microphone couldn’t be accessed by background apps.
There’s more to it than that though, as this commit message suggests:

If a UID is idle (being in the background for more than cartain amount of time) it should not be able to use the camera. If the UID becomes idle we generate an eror and close the cameras for this UID. If an app in an idle UID tries to use the camera we immediately generate an error. Since apps already should handle these errors it is safe to apply this policy to all apps to protect user privacy.

The camera can’t be accessed by idle background apps (an app is idle if it hasn’t be used for a while). And if the app has a foreground service, like Firefox, it can always access the camera and microphone anyway, even if the app is in the background and idle.

Firefox have tried to improve the situation by adding a note to the Android notification panel, although you’d have to go looking for it to see it. It’s an improvement, but if Firefox can keep your camera running in the background by accident, then spyware and stalkerware can do it deliberately. And they aren’t going to tell you in your notification panel.

If you’re using the Traced app for Android, you’ll be alerted whenever an app tries to access your camera, microphone, screen, or other private data. If you’re concerned about your privacy, download the Traced app for free to find out what the apps on your phone are doing behind your back.

As mentioned by Reddit user DisplayDome, you can disable WebRTC in Firefox. To do this, typeabout:config in the address bar and set media.peerconnection.enabled to false. Be careful though, this will stop WebRTC completely, and prevent you from using services like Google Hangouts.

One reply on “How websites can use your camera when your phone is locked”

Leave a Reply

Your email address will not be published. Required fields are marked *