Your Phone's Battery Leaks - Your Id That Is
Written by Harry Fairhead   
Saturday, 08 August 2015

You can run, but you can't hide. It is amazing how innocent technological features turn out to have a hidden dark side. So it is with the battery API. Designed to help out with running out of juice, it now seems that it can be used to track you even if you don't want to be tracked.

 

batteryout

 

The battery API is an HTML5 API approved by the W3C and implemented in most browsers. The idea was simple enough and completely harmless on the surface. It is useful for an app to know the battery state of the device it is running on so that it postpone battery draining activities like using WiFi, Bluetooth or, worse, the phone network. This seemed like such a good idea that the W3C passed the API specification without any safeguards like asking the user for permission. What this means is that any website or web app that you visit can discover the battery state of the device you are using without you knowing it is happening. 

What could go wrong?

According to Belgian researchers Lukasz Olejnik, Gunes Acar, Claude Castelluccia, and Claudia Diaz, who presented a paper outlining how it occurs, the problem is that the battery API could be used as another fingerprint vector. The API can return information on level, charging time and discharging time. The level property is a floating point value between 0 and 1 and the times  are in whole seconds. The researchers discovered that the reported status was fixed for about 30 seconds, allowing it to be used as an identifier for short periods - enough to track the movement from one website to another.  

The battery discharge and charge times can also be used. The discharge time provides some 39922 values, which combined with battery level gives 14172310 possible identifiers. The probability of a collision between two users accessing a site in terms of battery state is therefore low and this could be used to identify users' actions. 

The real importance of this short term identifier is that it can be used to track users across cookie changes. If a user re-enters a site in private mode, or clears cookies, then the battery API can be used to track them across the relatively short time it takes to make the change. 

If this wasn't enough, a longer term tracker can be found in some cases. Using the battery data is it possible to estimate the value of the battery's capacity - the EnergyFull value. This obviously only changes slowly over time and so provides a way to identify users across repeat visits. However, at the moment the method only works for Firefox on Linux because of the way it computes the charge level. 

The solution is to ask browser makers not to report battery levels too accurately. This has been implemented in Firefox on Linux, which no longer provides enough information to work out the battery's capacity. A better solution might be to ask user's permission to supply battery status - but most innocent users would simply agree. 

batteryok

After all what harm can there be in a website knowing your battery level?

Banner


JetBrains Makes WebStorm and Rider Free for Non-Commercial Use
24/10/2024

JetBrains has launched a non-commercial license for its JavaScript and TypeScript IDE, WebStorm, and for Rider, its cross-platform .NET and game development IDE.



Azul Outperforms OpenJDK By Up To 37%
23/10/2024

Azul has announced that its Azul Platform Prime outperforms comparable OpenJDK distributions by as much as 37%. The company has also launched the Azul Java Performance Engineering Lab (JPEL) aimed at  [ ... ]


More News

 

espbook

 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Saturday, 08 August 2015 )