It almost seems impossible. How on earth could a smartphone battery be used to identify smartphone users? Believe it or not a buggy API is behind the latest security scare, which could out mobile web users based on how much battery power is left in their phone.
The HTML5 specification was finalized by the World Wide Web Consortium (W3C) back in 2012. Part of the specification included the Battery Status API. The intent behind the API is noble: it is meant to help improve smartphone battery life. When smartphone owners navigate to a specific web site, the site uses the API to check the device's battery life. If the site sees the battery is running low, the web site will scale back certain features to protect the battery.
Sadly, the battery Status API does its job a bit too well. The site can read the remaining battery life discharge rate down to the second, and the remaining percentage exactly.
Security researchers in Belgium and France have disovered the API, used in Chrome, Firefox, and Opera mobile browsers, is able to suss out enough information from battery life checks to individualize smartphones. Essentially, the API lets web sites combine the battery discharge rate and percentage data over time. Because the numbers can be paired in about 14 million different combinations, they can be used to create identification numbers. The more often a mobile device returns to the web site in question, the more easily it can be identified by the site.
"Users who try to revisit a web site with a new identity may use browsers’ private mode or clear cookies and other client side identifiers," explained the researchers. "When consecutive visits are made within a short interval, the web site can link users’ new and old identities by exploiting battery level and charge/discharge times. The web site can then reinstantiate users’ cookies and other client side identifiers, a method known as respawning."
In other words, using standard techniques, such as clearing the browser history and cookies, and even visiting sites in browsers' private mode, do nothing to protect against this particular exploit. VPN's won't protect users, either. Worse still, continued browsing to web sites can lead to semi-permanent identification markers for smartphones.
When the W3C crafted the Battery Status API, it decided mobile browsers don't need to ask user permission to check battery life. At the time, it argued "the information disclosed has minimal impact on privacy or fingerprinting, and therefore is exposed withouth permission grants." The Belgian and French researchers heartily disagree.
Thankfully, the researchers have suggested a potential fix: make the API less specific. If the Battery Status API is dumbed down a bit by rounding the battery discharge rate numbers to whole minutes rather than seconds, it will dramatically reduce the API's ability to definiteively identify individual devices without impacting its stated goal.
The W3C has not yet responded publicly to the researchers' claims.