|Your Phone's Battery Leaks - Your Id That Is|
|Written by Harry Fairhead|
|Saturday, 08 August 2015|
You can run, but you can't hide. It is amazing how innocent technological features turn out to have a hidden dark side. So it is with the battery API. Designed to help out with running out of juice, it now seems that it can be used to track you even if you don't want to be tracked.
The battery API is an HTML5 API approved by the W3C and implemented in most browsers. The idea was simple enough and completely harmless on the surface. It is useful for an app to know the battery state of the device it is running on so that it postpone battery draining activities like using WiFi, Bluetooth or, worse, the phone network. This seemed like such a good idea that the W3C passed the API specification without any safeguards like asking the user for permission. What this means is that any website or web app that you visit can discover the battery state of the device you are using without you knowing it is happening.
What could go wrong?
According to Belgian researchers Lukasz Olejnik, Gunes Acar, Claude Castelluccia, and Claudia Diaz, who presented a paper outlining how it occurs, the problem is that the battery API could be used as another fingerprint vector. The API can return information on level, charging time and discharging time. The level property is a floating point value between 0 and 1 and the times are in whole seconds. The researchers discovered that the reported status was fixed for about 30 seconds, allowing it to be used as an identifier for short periods - enough to track the movement from one website to another.
The battery discharge and charge times can also be used. The discharge time provides some 39922 values, which combined with battery level gives 14172310 possible identifiers. The probability of a collision between two users accessing a site in terms of battery state is therefore low and this could be used to identify users' actions.
The real importance of this short term identifier is that it can be used to track users across cookie changes. If a user re-enters a site in private mode, or clears cookies, then the battery API can be used to track them across the relatively short time it takes to make the change.
If this wasn't enough, a longer term tracker can be found in some cases. Using the battery data is it possible to estimate the value of the battery's capacity - the EnergyFull value. This obviously only changes slowly over time and so provides a way to identify users across repeat visits. However, at the moment the method only works for Firefox on Linux because of the way it computes the charge level.
The solution is to ask browser makers not to report battery levels too accurately. This has been implemented in Firefox on Linux, which no longer provides enough information to work out the battery's capacity. A better solution might be to ask user's permission to supply battery status - but most innocent users would simply agree.
After all what harm can there be in a website knowing your battery level?
To be informed about new articles on I Programmer, install the I Programmer Toolbar, subscribe to the RSS feed, follow us on, Twitter, Facebook, Google+ or Linkedin, or sign up for our weekly newsletter.
or email your comment to: firstname.lastname@example.org
|Last Updated ( Saturday, 08 August 2015 )|