Your Phone's Battery Leaks - Your Id That Is
Written by Harry Fairhead   
Saturday, 08 August 2015

You can run, but you can't hide. It is amazing how innocent technological features turn out to have a hidden dark side. So it is with the battery API. Designed to help out with running out of juice, it now seems that it can be used to track you even if you don't want to be tracked.

 

batteryout

 

The battery API is an HTML5 API approved by the W3C and implemented in most browsers. The idea was simple enough and completely harmless on the surface. It is useful for an app to know the battery state of the device it is running on so that it postpone battery draining activities like using WiFi, Bluetooth or, worse, the phone network. This seemed like such a good idea that the W3C passed the API specification without any safeguards like asking the user for permission. What this means is that any website or web app that you visit can discover the battery state of the device you are using without you knowing it is happening. 

What could go wrong?

According to Belgian researchers Lukasz Olejnik, Gunes Acar, Claude Castelluccia, and Claudia Diaz, who presented a paper outlining how it occurs, the problem is that the battery API could be used as another fingerprint vector. The API can return information on level, charging time and discharging time. The level property is a floating point value between 0 and 1 and the times  are in whole seconds. The researchers discovered that the reported status was fixed for about 30 seconds, allowing it to be used as an identifier for short periods - enough to track the movement from one website to another.  

The battery discharge and charge times can also be used. The discharge time provides some 39922 values, which combined with battery level gives 14172310 possible identifiers. The probability of a collision between two users accessing a site in terms of battery state is therefore low and this could be used to identify users' actions. 

The real importance of this short term identifier is that it can be used to track users across cookie changes. If a user re-enters a site in private mode, or clears cookies, then the battery API can be used to track them across the relatively short time it takes to make the change. 

If this wasn't enough, a longer term tracker can be found in some cases. Using the battery data is it possible to estimate the value of the battery's capacity - the EnergyFull value. This obviously only changes slowly over time and so provides a way to identify users across repeat visits. However, at the moment the method only works for Firefox on Linux because of the way it computes the charge level. 

The solution is to ask browser makers not to report battery levels too accurately. This has been implemented in Firefox on Linux, which no longer provides enough information to work out the battery's capacity. A better solution might be to ask user's permission to supply battery status - but most innocent users would simply agree. 

batteryok

After all what harm can there be in a website knowing your battery level?

Banner


Golang Back In TIOBE Top 10
21/02/2024

Google's system language Go is ranked #8 in the TIOBE Index for February 2024. This is the third time it has entered the Top 10. However, it is now in the highest position it has ever had to date.



Running PostgreSQL Inside Your Browser With PGLite
18/03/2024

Thanks to WebAssembly we can now enjoy PostgreSQL inside the browser so that we can build reactive, realtime, local-first apps directly on Postgres. PGLite is about to make this even easier.


More News

 

raspberry pi books

 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Saturday, 08 August 2015 )