How Battery Status API can be a Potential Breach of Your Security

Imagine your privacy being compromised through something that you never thought had anything to do with your privacy and security – your laptop’s or your smart phone’s battery status! Yes, it is a little known fact that the Battery Status API, used by HTML5 in most of its websites, gives out information related to battery life of the device on which it is being used and through that the users of particular browsers and sites can be tracked online.

Until recently, the decision to share such information without the knowledge of users was not a problem on grounds that it did not involve any security concerns. Also, it is a part of the battery status API that is a standardized feature of HTML5, as set by the W3C Consortium.

The W3C has created a standardized open web platform meant for application development, which enables developers across the world to build rich, entertaining and interactive web experiences and make them available on any device. Although, the platform as a whole is growing rapidly, its activities are reliant on a number of other technologies created by W3C like CSS, XML, the Semantic Web Stack and several other APIs and protocols. All activities on the platform, regarding application development or web services or even browsers are governed by standards and rules set by the W3C. So what exactly is the need for such standards?

Need for standardization

Standards, in general, are basically meant to make sure that products and services work safely and as intended. They direct efforts towards their goal constantly and consistently. The process of standardization in the web world and the set standards, work together towards the same goal, which is to provide a consistent and reliable base for use and reuse in future. Some of the benefits of standardization are:

• Safety and reliability – Adherence to standards, as mentioned before, helps to ensure safety and reliability and also even environmental care. Users generally perceive standardized products and services to be more dependable, which in turn increases their confidence in the product or service. This leads to more different kinds of new technologies to be accepted and used.
• Interoperability – Devices and technologies are able to work together only with the help of the set standards. It provides a base for them to rely on, while working as a group.
• Business benefits – Standards provide a solid base or foundation upon which new and improved technologies can be developed and also already existing ones can be modified or improved. They also help in encouraging innovation and increasing awareness of technical developments and other such initiatives.
• Consumer choice – Standards set the base for new options and features to be added to existing technologies as well, which contributes to the enhancement of our daily lives. When more products are produced based on the standards, it adds to the great variety of products accessible to the consumers.

In a world where there are no standards –

• Products may not work as expected and may be of inferior quality
• They may be incompatible with other equipment
• In some extreme cases, products may even prove to be dangerous
• Customers may stick to a single manufacturer or supplier
• Manufacturers may have to create their own individual solutions for even the simplest needs without any opportunity to compete with others

Standardization makes it easier to set prices, implement the best practices and track the quality of products and services. It also helps to build the reputation of an organization.

Standardization in the world of Information Technology

In the world of Information Technology, standardization becomes more important as there is a need for collaboration between various technologies and artifacts. Commonly used norms or practices may be set as standards, or vendors at the top of the chain set the standards and others follow.
For example, a large organization may set some practices as standards for interacting with their software and all the vendor organizations may be forced to follow them too. Interfaces of IT solutions need to be standardized at any cost so that interaction is possible with any software. An Internet standard, once set, is supported and used by the entire internet community. The starting point for internet standards is the Request for Comments (RFC). RFCs contain proposals for establishing new standards or revising existing ones. In order to include the Internet community, RFCs are published online free of charge by the IESG (Internet Engineering Steering Group) or IAB (Internet Architecture Board).

The various standardization levels (or maturity levels) are as follows:

• Internet draft – which is submitted by an individual or a working group
• RFC proposed standard – which are drafts approved by the IESG or the IETF(Internet Engineering Task Force). As a prerequisite, the proposed standards are required to have at least two independent and interoperable implementations within 6 months.
• RFC Internet standard – After sufficient experience with implementations, the IAB establishes a status for every standard such as required, elective, recommended, limited use or not recommended, which characterizes its meaning.

Different parts of an IT solution may be built or created by different stakeholders. For example, a browser created by Google may use additional softwares or plugins integrated within itself in order to include extra functionalities like video downloader, advertisement blocker, security mitigating etc. In this case, Google would be providing the standard for the other softwares or plugins to interact with its browser.

Standardization for HTML5 by W3C

HTML5 is a core technology markup language used for structuring, developing and presenting content for the World Wide Web. It was intended to subsume HTML4, XHTML and also DOM Level 2 HTML. The previous standards were revised in order to improve usability and to include more features and functionalities.

This standard was set by the W3C Consortium as part of its attempt to bring about compatibility and agreement between the various industry members. As different incompatible versions of HTML were being offered by different vendors, it led to inconsistencies in the display of web pages. The W3C Consortium thus introduced a set of core principles and standards to be followed by all vendors. The various stages in the development of such standards by the W3C are as follows:

• Working draft – which is openly accessible and open to comment
• Candidate recommendation – where minor changes are accepted and implementations are developed
• Proposed recommendation – where implementations are evaluated with sufficient documentation
• Recommendation – After approval by the W3C committee

All W3C drafts and recommendations are available online anytime.

The standards act as guidelines for the developers of web browsers and are not binding. The developers follow these guidelines by making minor variations in order to distinguish themselves from others.

The Battery status API is one such standard set by the W3C in an attempt towards providing interactive and convenient web experiences to users.

The Battery Status API

A battery API basically allows an application to interact with the device being used (smartphone or laptop) and access information related to the battery life of the device. The HTML5 Battery Status API also does the same. By allowing access to battery status information to websites, they can switch between energy-saving and high performance modes. Hence, this API was designed to allow users to switch modes according to the life of their device’s battery thereby increasing the affordance of the users. The browsers are also able to adapt themselves to the changing device battery levels.

According to the Security and Privacy Considerations section of the W3C specification that describes the Battery Status API, “The information disclosed has minimal impact on the privacy or fingerprinting and therefore, is exposed without permission grants.” This implies that such sharing of information without the user’s knowledge or consent was considered legitimate for a long while as it did not create any security or privacy concerns.

A recent paper by Lukasz Olejnik, Gunes Acar, Claude Castelluccia and Claudia Diaz, called “The Leaking Battery”, proves this assumption wrong. The study analyzes how the battery status API, with capacity of the battery as well as its level, exposes a certain fingerprintable surface which can be used to track web users in short periods of time. The API uses the battery level, the charging time which is the predicted time to charge and the discharging time which is the predicted time to discharge. It is through this data that the users can be tracked online. This API is supported by Firefox, Chrome as well as Opera browsers. This particular study focuses on the browser, Firefox working with the Linux operating system. It said that their report on this issue was accepted and that a fix was deployed.