Researchers reveal that a flaw in HTML5 API can be used to track users across the web
A new report has claimed that smartphone batteries are broadcasting information that could be used to identify and track their user online – even if they follow strict security procedures – when using browsers including Firefox, Chrome and Opera.
This is due to a flaw in HTML5, the programming language used to create many of the most popular mobile apps around today and in particular the API used to display a battery’s status.
The report, entitled, “The leaking battery A privacy analysis of the HTML5 Battery Status API”, and authored by four French and Belgian researchers, claims that this API in HTML5, particularly when using Firefox, lets websites know how much battery is left in a users’ phone. Primarily used as part of a way for them to help preserve battery life that is running low on the device, but this information can be used to identify phones as they move around the internet, allowing people to be tracked.
The websites are sent both the estimated time in seconds that the battery will take to fully discharge, as well the remaining battery capacity expressed as a percentage, which could be combined into any one of around 14 million combinations, meaning that they operate as a potential ID number.
The report warns that anyone wanting to track a certain device would simply have to set up a monitoring station to wait for these numbers to appear on a website. Their viewing history could then be tracked as the move around websites.
The authors of the report, Lukasz Olejnik, Gunes Acar, Claude Castelluccia and Claudia Diaz, have called for new regulations that would allow users to make sites ask permission before they see the battery information, as well as suggesting that more information should be given to users about how the battery status software is used.
“The analysis of Web standards, APIs and their implementations can reveal unexpected Web privacy problems by studying the information exposed to Web pages,” the authors concluded.
“The complex and sizable nature of the new Web APIs and their deeper integration with devices make it hard to defend against such threats. Privacy researchers and engineers can help addressing the risks imposed by these APIs by analysing the standards and their implementations for their effect on Web privacy and tracking. This may not only provide an actionable feedback to API designers and browser manufacturers, but can also improve the transparency around these new technologies.”
Are you a security pro? Try our quiz!