Your Phone's Battery Leaks - Your Id That Is
Your Phone's Battery Leaks - Your Id That Is
Written by Harry Fairhead   
Saturday, 08 August 2015

You can run, but you can't hide. It is amazing how innocent technological features turn out to have a hidden dark side. So it is with the battery API. Designed to help out with running out of juice, it now seems that it can be used to track you even if you don't want to be tracked.

 

batteryout

 

The battery API is an HTML5 API approved by the W3C and implemented in most browsers. The idea was simple enough and completely harmless on the surface. It is useful for an app to know the battery state of the device it is running on so that it postpone battery draining activities like using WiFi, Bluetooth or, worse, the phone network. This seemed like such a good idea that the W3C passed the API specification without any safeguards like asking the user for permission. What this means is that any website or web app that you visit can discover the battery state of the device you are using without you knowing it is happening. 

What could go wrong?

According to Belgian researchers Lukasz Olejnik, Gunes Acar, Claude Castelluccia, and Claudia Diaz, who presented a paper outlining how it occurs, the problem is that the battery API could be used as another fingerprint vector. The API can return information on level, charging time and discharging time. The level property is a floating point value between 0 and 1 and the times  are in whole seconds. The researchers discovered that the reported status was fixed for about 30 seconds, allowing it to be used as an identifier for short periods - enough to track the movement from one website to another.  

The battery discharge and charge times can also be used. The discharge time provides some 39922 values, which combined with battery level gives 14172310 possible identifiers. The probability of a collision between two users accessing a site in terms of battery state is therefore low and this could be used to identify users' actions. 

The real importance of this short term identifier is that it can be used to track users across cookie changes. If a user re-enters a site in private mode, or clears cookies, then the battery API can be used to track them across the relatively short time it takes to make the change. 

If this wasn't enough, a longer term tracker can be found in some cases. Using the battery data is it possible to estimate the value of the battery's capacity - the EnergyFull value. This obviously only changes slowly over time and so provides a way to identify users across repeat visits. However, at the moment the method only works for Firefox on Linux because of the way it computes the charge level. 

The solution is to ask browser makers not to report battery levels too accurately. This has been implemented in Firefox on Linux, which no longer provides enough information to work out the battery's capacity. A better solution might be to ask user's permission to supply battery status - but most innocent users would simply agree. 

batteryok

After all what harm can there be in a website knowing your battery level?

Banner


Coding for Carrots - Today's Google Doodle
04/12/2017

Today's Google Doodle is a delightful coding tutorial, reminding us if we need reminding, that today marks the start of Computer Science Education Week. If you are looking right now for a simple  [ ... ]



dbForge Adds Data Generator
15/12/2017

There's a new Enterprise Edition of dbForge Studio for MySQL with a data generator and database documenter. The new edition also includes all the features in the Professional edition.


More News

 

 
 

 

blog comments powered by Disqus

Last Updated ( Saturday, 08 August 2015 )
 
 

   
RSS feed of news items only
I Programmer News
Copyright © 2017 i-programmer.info. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.