The flaw mainly resides in the battery status API of most of the Smartphone. The set of protocols set in HTML5, which is the current language of the internet. This API unknowingly provides a web browser like Google Chrome and Firefox regarding the sensitive information of the Smartphone. Later on, this API also helps in activating a power saving mode which helps the Smartphone users in making more out of their devices.
How severe is the flaw?Battery Status API has the capability to extract and pull several pieces of information related to the device’s battery, which includes the battery level, charging times along with discharging time. When this data is combined together it helps in creating a digital fingerprint of the device and it can be used by the potential attackers for tracking the activities of the users on the internet.
Recent studies on battery statusA recent study was conducted by the four researchers from France and Belgium on the battery status API. The research paper has been titled “The leaking battery: A privacy analysis of the HTML5 Battery Status API”. The researchers have concluded that the Battery Status API can serve as a potential tracking identifier when it is used in the hands of the notorious trackers.
The study had showed that HTML5 Battery Status API secretly enables the websites to access the battery state on any device ranging from the mobile device to laptops. Most of this information related to battery is extracted from the devices without the knowledge of the users. This API is extremely dangerous to the protection of the privacy, as no permission is required by the API to send out the details.
This study had even showed that when this API is implemented by Firefox Browser it happens to enable the fingerprinting and tracking of devices in short time intervals. Same results were found by the researchers on other popular web browsers like Chrome and Opera. The only web browser which possesses strong measures of defense against fingerprinting by the Battery Status API is Tor Browser. This particular web browser simply initiates a procedure, which completely disables the API and stops it any fingerprinting attempts.