Darren Pauli reports on The Register website that security researchers have discovered that the HTC One Max phone stored user fingerprints as clear text in a “world readable” folder that could be accessed by  other Apps.  The Samsung Galaxy S5 was also found to have similar vulnerabilities. The revelation was made by researchers presenting at the Black Hat security conference in Las Vegas earlier this month.  It was one of four situations in which biometric data on an Android phone could be accessed by hackers.  In one scenario they showed how attackers could have money transfers authenticated by getting a user scan their fingerprints on a fake login screen to unlock the device. A link to the original research paper can be found here.

HTC Phone Stored Fingerprints as Clear Text

Mark Stockley reports on the Sophos Naked Security website that the HTML5 battery status API (Application Program Interface) on mobile phones can be used to track the phone user. The technique in a recently released paper, relies on the fact that browsers such as Chrome, Firefox and Opera will provide information about battery status to any website that asks for it, without asking the phone users permission.  The information given up is a series of values covering discharging and charging.  However, it is very unlikely that two or more users will have the same value in a short time frame thus effectively making it a unique identifier for the device. These battery values are usually very short-lived; however, they could last long enough to allow a tracking website to respawn deleted cookies and defeat incognito modes.  Currently the only browser that offers protection against battery tracking is the Tor browser […]

How your Battery Life could be used as an Undeletable ...

Ryan Whitwam reports on the ExtremeTech website that researchers have found a way to track android phones by studying their power use over time. The technique works on the principle that the further away a phone is from a base station, the more power the phone uses to maintain a connection.  Researchers called their proof of concept application PowerSpy.  Before it can be used a power map of an area has to be established so that PowerSpy knows what performance to expect in a particular location. Although making a call or using apps will also drain power, the algorithm used in PowerSpy is designed to monitor power use over several minutes, so that battery usage not associated with location can be filtered out.

Battery Power Alone Can be Used to Track Android Phones