Web Users Are Still Being Tracked By Their Smartphone’s Battery Status

A feature in HTML5 used by websites to monitor battery levels of mobile devices has been found to track the online activity of users, security researchers have revealed.

The Battery Status API, a feature first introduced in HTML5, exists so websites can see the amount of juice a visiting user has remaining on their device, and decide to serve a less power intensive version of the site if required.

Fingerprinting

But security experts from Princeton University found that the Battery Status API was being used by trackers as a ‘fingerprinting vector’ – essentially, the researchers found tracking scripts that used the API to ‘fingerprint’ devices, thereby gaining the ability to track that device’s web habits.

Lukasz Olejnik, a security and privacy research engineer, warned that this could happen back in 2015. The World Wide Web Consortium (W3C), which regulates web standards, acknowledged Olejnik’s (and his peers’) research, and a fix was implemented to the Firefox browser.

Olejnik called for new regulations that would allow users to make sites ask permission before they see the battery information, as well as suggesting that more information should be given to users about how the battery status software is used.

“The analysis of Web standards, APIs and their implementations can reveal unexpected Web privacy problems by studying the information exposed to Web pages,” the authors concluded.

But this week, Olejnik penned a new blog post, explaining how the API is still being used to track users.

“Expected or not, battery readout is actually being used by tracking scripts, as reported in a recent study. Some tracking/analysis scripts (example here) are accessing and recovering this information,” he said.

“Additionally, some companies may be analyzing the possibility of monetizing the access to battery levels. When battery is running low, people might be prone to some – otherwise different – decisions. In such circumstances, users will agree to pay more for a service.

“As a response, some browser vendors are considering to restrict (or remove) access to battery readout mechanisms.”

Take our ARM quiz here!