For the most part, these computer programs are algorithms that make up a type of machine learning, Al-Haiqi says. Researchers first train the programs to recognize keystrokes. They do this by feeding the programs lots of motion-sensor data. Those data are then labeled with the key tap that produced a particular movement.

A pair of researchers built TouchLogger. It’s an app that collects sensor data on a phone’s orientation in space. It uses these data to figure out how a user had been tapping on a smartphone’s number keyboard. In a 2011 test on phones made by a company in Taiwan, called HTC, TouchLogger figured out more than 70 percent of key taps correctly.

Since then, more studies have come out showing similar results. Scientists have written code to infer keystrokes on number and letter keyboards for different types of phones. In one 2016 study, Al-Haiqi’s team reviewed how successful these efforts were. And they concluded that only a snoop’s imagination limits the ways motion data could be translated into key taps. Those keystrokes could reveal everything from the password entered on a banking app to the contents of a text message.

A more recent application used a whole fleet of smartphone sensors to guess PINs. (A PIN is a sequence of numbers used to access a bank account.) The app analyzed a phone’s movement. It also noted how, during typing, the user’s finger blocked the light sensor. When tested on a pool of 50 PIN numbers, the app could discern keystrokes with 99.5 percent accuracy. The researchers reported this in December 2017 on the Cryptology ePrint Archive.

Other researchers have paired motion data with microphone recordings. A phone’s mic can pick up the soft sound of a fingertip tapping on a screen. One group designed a malicious app. It could masquerade as a simple note-taking tool. When the user tapped on the app’s keyboard, the app covertly recorded the keys’ input. It also recorded the simultaneous microphone and gyroscope readings. That let it learn the sound and feel to correctly diagnose each keystroke.

The app could even listen in the background when the user entered sensitive info on other apps. This phone app was tested on Samsung and HTC phones. It inferred the keystrokes of 100 four-digit PINs with 94 percent accuracy.

Such high success rates come mostly from tests made in controlled settings, notes Al-Haiqi. Those tests assume that users will hold their phones a certain way each time or will sit down while typing. How these info-extracting programs fare in a wider range of real-world conditions remains to be seen. But the answer to whether motion and other sensors would open the door for new privacy invasions is “an obvious yes,” he says. Researchers have developed apps that...

can figure out your password through sensors.

disable sensors that violate your privacy.

protect your information from invasive sensors.

can infiltrate all of a phone's sensors.

1 answer