Uber is watching your smartphone's battery charge

Browser vendors' Battery API deprecation can't come soon enough

Browser authors are abandoning the invasive Battery API W3C specification, but not everybody's got the memo: Uber, for example, still watches battery status.

The not-an-employer, not-a-taxi-company's app checks battery status and remaining battery, with the explanation that the feature is used for fraud detection. The discovery came courtesy of Paul Dehaye of PersonalData.io, who made a request under European law for data Uber collected about him (published at GitHub, here).

As Lukasz Olejnik (the University College, London security researcher and consultant who tipped Vulture South to the story) notes, that could be a reasonable explanation because battery information could help Uber confirm that a user is real.

For example, if someone was impersonating another Uber subscriber, two requests at nearly the same time from devices with wildly-varying battery charge would help raise an alert to a fraud.

Fair enough: but Olejnik also points out, the battery information can help build intrusive user profiles – that's why Chrome, Firefox and WebKit are moving to deprecate the API. That prompted The Register to ask Uber if loss of the API would harm its anti-fraud efforts.

However, it's also true that Uber – like most players in the “app economy” – is an enthusiastic profiler of its users. As has also been reported this week, the Electronic Privacy Information Center in the United States is upset that its app is tracking users' locations when they're not using the service.

The Register notes that the extra privacy risk, in the circumstances, is minimal. As we reported in August 2016, the main risk from the Battery API is that users could be uniquely identified by the behaviour of their battery – but Uber's already got your identity.

That made Olejnik suspect it's more likely to be that the car-hire service is fooling around with using battery status as an input to its charging: if you were trying to raise a driver at half-past-midnight after the New Year's Eve fireworks, would you pay more if you only had 11 per cent battery remaining?

Or it could simply be that developers in the app economy can't resist grabbing everything, whether they need it or not.

The rest of the data Dehaye turned up is less remarkable: payment information collection is a given, and most of the mobile device information is the kind spaffed to all and sundry by Android's device API (called from android.os). ®

Similar topics

Other stories you might like

  • While the iPhone's repairability is in the toilet, at least the Apple Watch 7 is as fixable as the previous model

    Component swaps still a thing – for now

    Apple's seventh-gen Watch has managed to maintain its iFixit repairability rating on a par with the last model – unlike its smartphone sibling.

    The iFixit team found the slightly larger display of the latest Apple Watch a boon for removal via heat and a suction handle. Where the previous generation required a pair of flex folds in its display, the new version turned out to be simpler, with just the one flex.

    Things are also slightly different within the watch itself. Apple's diagnostic port has gone and the battery is larger. That equates to a slight increase in power (1.094Wh from 1.024Wh between 40mm S6 and 41mm S7) which, when paired with the slightly hungrier display, means battery life is pretty much unchanged.

    Continue reading
  • Better late than never: Microsoft rolls out a public preview of E2EE in Teams calls

    Only for one-to-one voice and video, mind

    Microsoft has finally kicked off the rollout of end-to-end-encryption (E2EE) in its Teams collaboration platform with a public preview of E2EE for one-to-one calls.

    It has been a while coming. The company made the promise of E2EE for some one-to-one Teams calls at its virtual Ignite shindig in March this year (https://www.theregister.com/2021/03/03/microsoft_ups_security/) and as 2021 nears its end appears to have delivered, in preview form at least.

    The company's rival in the conference calling space, Zoom, added E2EE for all a year ago, making Microsoft rather late to the privacy party. COO at Matrix-based communications and collaboration app Element, Amandine Le Pape, told The Register that the preview, although welcome, was "long overdue."

    Continue reading
  • Recycled Cobalt Strike key pairs show many crooks are using same cloned installation

    Researcher spots RSA tell-tale lurking in plain sight on VirusTotal

    Around 1,500 Cobalt Strike beacons uploaded to VirusTotal were reusing the same RSA keys from a cracked version of the software, according to a security researcher who pored through the malware repository.

    The discovery could make blue teams' lives easier by giving them a clue about whether or not Cobalt Strike traffic across their networks is a real threat or an action by an authorised red team carrying out a penetration test.

    Didier Stevens, the researcher with Belgian infosec firm NVISO who discovered that private Cobalt Strike keys are being widely reused by criminals, told The Register: "While fingerprinting Cobalt Strike servers on the internet, we noticed that some public keys appeared often. The fact that there is a reuse of public keys means that there is a reuse of private keys too: a public key and a private key are linked to each other."

    Continue reading

Biting the hand that feeds IT © 1998–2021