Researchers at Stanford say they can track an Android user’s location simply by gathering battery use data for a few minutes. While it’s of limited effect, they argue this could undermine the user permissions system on Android.
The researchers explored the idea that the cellular radio in a phone makes up a significant proportion of the total power use. Furthermore, the cellular radio’s power demand varies notably depending on the distance between the user and the nearest base station, plus the presence or absence of obstacles in the way such as buildings.
They initially believed it would not be possible to directly link battery and user location because the figures would be distorted by the other demands on the battery, depending, for example, on what apps the user was running.
However, the researchers found that because this other battery usage is not location dependent, it can take as little as two minute of tracking to be able to isolate that element of the battery usage fluctuation which is determined by location.
Fortunately the practical use of this method is extremely limited as it relies on the person tracking the location having already prepared a map of the area and gathered the data on how battery use would vary depending on location. In testing the theory, the researchers limited their goal to trying to work out which of a select number of routes the subject was taking, with results including:
- 93 per cent correct identification between four routes of around 19 kilometers;
- 90.2 per cent correct identification between seven routes of around 19 kilometers;
- 100 per cent correct identification of which of two directions subjects took along the same road; and
- 78 percent correct identification between two routes of around 20 kilometers in an area with more cell base stations.
Realistically then, it’s unlikely to be a useful tactic for would-be stalkers. However, the researchers say it does expose a limitation with Android app permissions. Any app that requires access to location data will require the user to grant explicit permission. However, the app the researchers developed only needs an Internet connection and access to power data. There’s a good chance that a credible-looking rogue application could get users to give these permissions without raising suspicion.