
Battery power alone can be used to track Android phones - joosters
http://www.bbc.co.uk/news/technology-31587621
======
SifJar
The article mentions that the required permissions are "very common
permissions", and then in the next paragraph says that 179 apps on the Google
Play store require those permissions. As of July 2014, there were 1.3 million
apps in the app store [1]. That's ~0.014% of the apps on the store. Not
exactly "very common" in my mind. Although the remark that they are "unlikely
to raise suspicion" is valid, especially for the typical consumer, who
probably isn't reading the permissions anyway.

[1] -
[http://en.wikipedia.org/wiki/Google_Play#Android_application...](http://en.wikipedia.org/wiki/Google_Play#Android_applications)

~~~
romaniv
I am ver surprised there is still no mass outrage over Android permissions.

1\. They are not properly named or explained. And no, this shouldn't be on
some obscure website. This should be right there, in the menu that asks for
them.

2\. There is no way to filter apps in the play store by permissions. This
isn't just a privacy thing. Apps that require the least permissions are often
least bloated and the most skillfully written.

It's obvious that both of these thing are deliberate, it's obvious that this
is an issue, and no one cares.

~~~
Sidnicious
Also, there's no way to download an app but deny it some permissions. iOS gets
this right: apps don't get to ask for any permissions when you download them,
they have to request them at runtime and the user can deny any of them (and
the app is still expected to function)

~~~
TazeTSchnitzel
This was briefly added in Android 4.something, but Google removed it.

~~~
digi_owl
Appops. Supposedly there as a test system for apps. I guess to see if they
would crash in case of malformed data from sensors etc.

Some OEMs, like Huawei, offer similar functionality on their products.

~~~
heywire
It is possible to "activate" this functionality on some phones as well. I have
it enabled on my Samsung Galaxy S4, which is rooted, but otherwise is running
the stock ROM (though not by choice).

------
PJDK
This is really selling a quite interesting intellectual effort on meaningless
paranoia. Who would have any interest in tracking people in this manner?

Any government based group can grab the data much more conveniently via the
phone towers. Anyone else? Well you've got to trick someone into downloading
this thing, so it's probably not that good for targeting a specific
individual.

If you can think up some nefarious scheme which involves grabbing lots of
peoples locations, just get permissions to use GPS or cell location, way more
apps have that privilege. I'm not sure what you do with it afterwards though.

New research reveals people can be tracked just by watching where they go...

~~~
JoachimS
Not sure if the "Who would have any interest in tracking people in this
manner?" is really relevant. Based on the collect all, hoover all metadata etc
that seems to be going on, _anything_ remotely possibly useful seems to be
interesting.

And the big thing is that this data can of course (and will be) correlated
with things like cell tower location, wifi hotspots all kinds of other
metadata.

~~~
digi_owl
Makes one wonder what STASI could come up with had it still been operating...

~~~
PhantomGremlin
Given how bad NSA and GCHQ (the presumed good guys) have been, STASI would
have truly been frightening. They probably would have terrified Sauron.

------
joosters
Original research paper:
[http://arxiv.org/abs/1502.03182](http://arxiv.org/abs/1502.03182)

PDF link:
[http://arxiv.org/pdf/1502.03182v1.pdf](http://arxiv.org/pdf/1502.03182v1.pdf)

~~~
jawns
This snippet (from the PDF) reveals the effectiveness of the technique:

"To evaluate the first algorithm for distinguishing routes we recorded
reference profiles for several different routes. We used a dataset of 43
profiles for 4 different routes about 19 kilometers each. Driving in different
directions along the same roads (from point A to B vs. from point B to A) is
considered two different routes. We perform a leave-one-out cross validation,
each time using one of the profiles for testing. Figure 5 is a confusion
matrix, which shows a high success rate in classifying the routes. The
achieved successful classification rate in this case was 93%."

So, given a bunch of known routes (like a stretch of highway), this algorithm
is able to match your phone's battery-usage signature to one of those routes,
sort of like how a service like SoundHound is able to identify a piece of
music based off of a few seconds' recording.

~~~
ttty
But that if the battery discharges exactly the same. I think that is not the
case, for example the battery when is at 50% might discharge (doing the exact
thing) differently than when is at 20%. Maybe the battery is not well
calibrated or the internal part of the battery are more wasted than others.

~~~
jahnu
I would guess that even if the curve is different from say 50% to 40% than 20%
to 10% for the same journey it would be easy enough to normalise the data
after profiling a couple of phones.

~~~
ttty
Plus continuous change, but not even, would not be that easy.

------
wcdolphin
This is a 'tour de force' study for sure, but has a very limited scope (and
reliability)- First, it only works if the attacker knows both the route(s)
ahead of time _and_ the power consumption profile of the routes, which
requires careful mapping of the region with a recording device. Second, its
accuracy degrades drastically depending on the number of apps running -- they
only tested with background apps, which already rendered the method only
slightly better than a random guess, with an arbitrary app running in the
foreground the power consumption goes bananas and so does their method.

Storm in a glass of water, if you ask me.. (But you wouldn't know this by
reading that abstract alone ;))

-@r2r

------
S_A_P
Maybe I am a bit dense here, but how does battery drain map to a location?
What would they be cross referencing to gather location?

All I can gather is that they would also need to know what tower you were
talking to, and then based on the drain they could probably guess where you
were based on some heuristic. Meaning, if you are talking to tower x, and the
battery drain is high, you could guess that you are either far from the tower
or indoors somewhere. It still seems to me that this is dubious at best. I get
that technology is always changing, but wouldn't it just be easier to exploit
a security hole?

~~~
wongarsu
As you move, your distance to the closest cell tower changes. You also move
past signal obstacles, so the change in signal strength isn't linear. They
claim that these changes are characteristic enough that you can track movement
that way.

~~~
S_A_P
I get that part and to some degree understand. Maybe I am misinterpreting the
"track your location" as something more accurate than "this person is in a 10
mile radius of this tower". For instance, wouldn't you need to know details of
how different buildings are constructed? If you are in a busy downtown area,
tracking with this method seems impossible. I could see if it was a remote
area with few buildings to sift through.

~~~
wongarsu
Yes, it's not as trivial as just grabbing the data and running a generic
algorithm. Ideally you would want to measure all routes where you want to
track people. Kind of like how google knows where every wifi access point is
and uses that for location information.

Also, you need people to move. Because you only have power data, you only know
the aproximate signal strength if the person isn't moving.

~~~
S_A_P
That makes more sense. So to me, the headline reads as "Location can be
tracked just by measuring battery usage" when in reality its "Location can be
tracked if: A) they know the tower you are speaking to B) they have
information on how buildings are constructed in this area C) You move around
D) they have some other crowdsourced info about how much power is required to
talk to the tower you are connected to."

I can see this "technique" being used in an episode of NCIS, CSI or similar
cop show. <plot> We need to find this guy, but all we have is his cell number.

Police tech #1 "Sure no problem, I will just connect to his phone and measure
the battery drain..... Got him, he is Downtown at 5th and Main- lets go arrest
him!!!" </plot>

~~~
quickyaccnt
The article links the article where the authors suggest they don't need to
know which tower you're connected to (in which case you could get a more
accurate location from the towers themselves).They assume the only information
you have _from_ the phone is the power usage. However, they also assume the
attackers have a general idea of your habits, and can therefore map out cell
reception in the city where you live.

The "general habits" assumption seems implausible, but it isn't. Let's say you
want to track all the citizens of the Bay Area. You know that, in general, ppl
from the Bay area are in the Bay Area. Therefore, you map the cell reception
in Bay area. You also take note of major transportation routes and patterns.
Now, if you want to track a particular target, all you'll need is their power
usage.

------
egeozcan
So what makes this specific to Android phones? Developers can't (get
permission to) access this information on other platforms?

~~~
tomkinstinch
It's available on iOS:

[https://developer.apple.com/library/ios/documentation/UIKit/...](https://developer.apple.com/library/ios/documentation/UIKit/Reference/UIDevice_Class/#//apple_ref/occ/instp/UIDevice/batteryLevel)

~~~
feld
No it's not. That does not expose voltage and current.

The research paper says they're doing this ...

    
    
      ... by repeatedly reading the following two files:
      /sys/class/power_supply/battery/voltage_now
      /sys/class/power_supply/battery/current_now

~~~
tomkinstinch
Not at a simplistic level, no, but voltage you could derive from the discharge
curve of a characterized battery (since we know fraction of charge remaining),
and current could probably be approximated by looking at the rate of
discharge.

------
lm2s
What a sensasionalist headline... The results of the study can only be
achieved under a very controlled environment and even then they're not
accurate. From a practical point of view this is irrelevant when there are
other ways of getting a user location that are far more accurate and easy. But
from an academic point of view I can see the interest.

------
marypublic
Seriously? Have you not heard of side channel and timing attacks? This is
called information leakage and is a big deal. Because it is not common/easy
_now_ doesn't mean it won't be in the future. The nature of information
disclosure (whether data or metadata) is that people find "impractical"
methods of accessing information we might prefer they not have, then make them
practical. It may also be the case that the researchers cannot make it
practical, but that doesn't mean there aren't actors who can and possibly have
already done this.

This is a very useful article OP, thank you for posting

------
lumisota
[http://www.phdcomics.com/comics.php?n=1174](http://www.phdcomics.com/comics.php?n=1174)

~~~
triangleman
The p-value of 0.56 is a joke right?

~~~
the_imp
It's not a p-value, it's Spearman's rho, or rank correlation coefficient. It's
a value in [-1,1] and when deviating from zero indicates a statistically
dependent relationship:
[http://en.wikipedia.org/wiki/Spearman%27s_rank_correlation_c...](http://en.wikipedia.org/wiki/Spearman%27s_rank_correlation_coefficient)

------
yablee
Isn't the assumption that "the noise of playing music,social media, etc" is
not correlated with the phone's location, pretty weak? I know I have distinct
patterns of when I scroll up twitter or listen to music, which depend on where
I am..

------
jchrisa
I'm thinking about when Whistler decodes the kidnapper's route in Sneakers.

------
scarygliders
The first thing that popped into my head to get around this technique - and in
one fell swoop would defeat all others - was : "Switch the phone off and
remove the battery".

Of course, as soon as you turn the phone back on again, your adversary can
pinpoint your location.

I guess the best overall solution would be to eschew having a phone at all.

------
xer
Just ask the user for their location right away. Most don't care anyway.

------
raverbashing
I think this has the potential to be as good as the location of MH370 by
satellite data

Basically, locate the user over a wide range of possible locations.

I wouldn't loose my sleep over this, really

