Friday, 7 August 2015

Privacy Analysis Shows Battery status API as Tracking Tool


Phone
Most of the Smartphone nowadays contain a feature which is essential to their usage i.e. battery status. A HTML 5 coded Battery analysis API is found to have major flaws in it which is leaving the privacy vulnerable. The flaws in the battery status API are extremely threatening and need to be resolved at the earliest.

The flaw mainly resides in the battery status API of most of the Smartphone. The set of protocols set in HTML5, which is the current language of the internet. This API unknowingly provides a web browser like Google Chrome and Firefox regarding the sensitive information of the Smartphone. Later on, this API also helps in activating a power saving mode which helps the Smartphone users in making more out of their devices.

How severe is the flaw?

Battery Status API has the capability to extract and pull several pieces of information related to the device’s battery, which includes the battery level, charging times along with discharging time. When this data is combined together it helps in creating a digital fingerprint of the device and it can be used by the potential attackers for tracking the activities of the users on the internet.

Recent studies on battery status

A recent study was conducted by the four researchers from France and Belgium on the battery status API. The research paper has been titled “The leaking battery: A privacy analysis of the HTML5 Battery Status API”. The researchers have concluded that the Battery Status API can serve as a potential tracking identifier when it is used in the hands of the notorious trackers.

The study had showed that HTML5 Battery Status API secretly enables the websites to access the battery state on any device ranging from the mobile device to laptops. Most of this information related to battery is extracted from the devices without the knowledge of the users. This API is extremely dangerous to the protection of the privacy, as no permission is required by the API to send out the details.

This study had even showed that when this API is implemented by Firefox Browser it happens to enable the fingerprinting and tracking of devices in short time intervals. Same results were found by the researchers on other popular web browsers like Chrome and Opera. The only web browser which possesses strong measures of defense against fingerprinting by the Battery Status API is Tor Browser. This particular web browser simply initiates a procedure, which completely disables the API and stops it any fingerprinting attempts.

Private browsing can’t stop Battery Status API

Most of the people nowadays use private browsing in order to maintain their privacy online but Battery Status API can still allow the attackers to track the online activities through battery data. A script used by the Battery Status API can help in tracking the people who had already deleted their browsing data. This script even reinstates the identifier such as cookies without the knowledge of the users. This study is conducted with the hope of identifying the glaring loopholes and flaws in the Battery API and to draw people attention towards its effects.