Yandex Browser Blog

Beware Evil APIs

7 December 2016, 16:01

Sometimes web standards are used for purposes other than those for which they were created. One example is the innocuous-seeming Battery Status API, which was intended to help users save power on their devices by allowing web sites to check a device’s battery level and switch to energy-saving mode when charge is low. Another use has been found, and it’s setting off alarm bells.

Princeton University researchers have published a paper showing that the Battery Status API can be used to fingerprint and track users online. The exact battery level is enough information for a user to be identified, even after changing their IP address, user agent and other pubic data. But that’s not the only problem.

Internet stores and services can misuse the battery information and raise the price on goods or services for a user when they see that a device’s charge is running low: the user is running out of time, has to hurry and can’t afford to shop around.

Even though Battery Status API is part of the HTML5 standard, we have decided to switch it off by default in Yandex Browser for Android. It can still be turned on manually, in case a user should need it for some reason.

By default we have also turned off Vibration API, which enables sites to make a user’s phone vibrate without even requiring any permission – something that extortionist sites exploit to scare and manipulate users.

If you know of useful services that utilise these APIs, please let us know. With the W3C community we plan to discuss new versions of standards taking into account not-so-obvious usage features.