Smart­phone users might balk at let­ting a ran­dom app like Can­dy Crush or Shaz­am track their every move via GPS. But researchers have found that Android phones reveal infor­ma­tion about your loca­tion to every app on your device through a dif­fer­ent, unlike­ly data leak: the phone’s pow­er consumption.

Researchers at Stan­ford Uni­ver­si­ty and Israel’s defense research group Rafael have cre­at­ed a tech­nique they call Pow­er­Spy, which they say can gath­er infor­ma­tion about an Android phone’s geolo­ca­tion mere­ly by track­ing its pow­er use over time. That data, unlike GPS or Wi-Fi loca­tion track­ing, is freely avail­able to any installed app with­out a require­ment to ask the user’s per­mis­sion. That means it could rep­re­sent a new method of stealth­ily deter­min­ing a user’s move­ments with as much as 90 per­cent accuracy—though for now the method only real­ly works when try­ing to dif­fer­en­ti­ate between a cer­tain num­ber of pre-mea­sured routes.

Spies might trick a sur­veil­lance tar­get into down­load­ing a spe­cif­ic app that uses the Pow­er­Spy tech­nique, or less mali­cious app mak­ers could use its loca­tion track­ing for adver­tis­ing pur­pos­es, says Yan Michalevs­ki, one of the Stan­ford researchers. “You could install an appli­ca­tion like Angry Birds that com­mu­ni­cates over the net­work but doesn’t ask for any loca­tion per­mis­sions,” says Michalevs­ki.  “It gath­ers infor­ma­tion and sends it back to me to track you in real time, to under­stand what routes you’ve tak­en when you drove your car or to know exact­ly where you are on the route. And it does it all just by read­ing pow­er consumption.”

Pow­er­Spy takes advan­tage of the fact that a phone’s cel­lu­lar trans­mis­sions use more pow­er to reach a giv­en cell tow­er the far­ther it trav­els from that tow­er, or when obsta­cles like build­ings or moun­tains block its sig­nal. That cor­re­la­tion between bat­tery use and vari­ables like envi­ron­men­tal con­di­tions and cell tow­er dis­tance is strong enough that momen­tary pow­er drains like a phone con­ver­sa­tion or the use of anoth­er pow­er-hun­gry app can be fil­tered out, Michalevsky says.

One of the machine-learn­ing tricks the researchers used to detect that “noise” is a focus on longer-term trends in the phone’s pow­er use rather than those than last just a few sec­onds or min­utes. “A suf­fi­cient­ly long pow­er mea­sure­ment (sev­er­al min­utes) enables the learn­ing algo­rithm to ‘see’ through the noise,” the researchers write. “We show that mea­sur­ing the phone’s aggre­gate pow­er con­sump­tion over time com­plete­ly reveals the phone’s loca­tion and movement.”

Even so, Pow­er­Spy has a major lim­i­ta­tion: It requires that the snoop­er pre-mea­sure how a phone’s pow­er use behaves as it trav­els along defined routes. This means you can’t snoop on a place you or a cohort has nev­er been, as you need to have actu­al­ly walked or dri­ven along the route your subject’s phone takes in order to draw any loca­tion con­clu­sions. The Stan­ford and Israeli researchers col­lect­ed pow­er data from phones as they drove around California’s Bay Area and the Israeli city of Haifa. Then they com­pared their dataset with the pow­er con­sump­tion of an LG Nexus 4 hand­set as it repeat­ed­ly trav­eled through one of those routes, using a dif­fer­ent, unknown choice of route with each test. They found that among sev­en pos­si­ble routes, they could iden­ti­fy the cor­rect one with 90 per­cent accuracy.

“If you take the same ride a cou­ple of times, you’ll see a very clear sig­nal pro­file and pow­er pro­file,” says Michalevsky. “We show that those sim­i­lar­i­ties are enough to rec­og­nize among sev­er­al pos­si­ble routes that you’re tak­ing this route or that one, that you drove from Uptown to Down­town, for instance, and not from Uptown to Queens.”

Michalevsky says the group hopes to improve its analy­sis to apply that same lev­el of accu­ra­cy to track­ing phones through many more pos­si­ble paths and with a vari­ety of phones—they already believe that a Nexus 5 would work just as well, for instance. The researchers also are work­ing on detect­ing more pre­cise­ly where in a known route a phone is at any giv­en time. Cur­rent­ly the pre­ci­sion of that mea­sure­ment varies from a few meters to hun­dreds of meters depend­ing upon how long the phone has been traveling.

The researchers have attempt­ed to detect phones’ loca­tions even as they trav­el routes the snoop­er has nev­er ful­ly seen before. That extra feat is accom­plished by piec­ing togeth­er their mea­sure­ments of small por­tions of the routes whose pow­er pro­files have already been pre-mea­sured. For a phone with just a few apps like Gmail, a cor­po­rate email inbox, and Google Cal­en­dar, the researchers were able deter­mine a device’s exact path about two out of three times. For phones with half a dozen addi­tion­al apps that suck pow­er unpre­dictably and add noise to the mea­sure­ments, they could deter­mine a por­tion of the path about 60 per­cent of the time, and the exact path just 20 per­cent of the time.

Even with its rel­a­tive impre­ci­sion and the need for ear­li­er mea­sure­ments of pow­er use along pos­si­ble routes, Michalevsky argues that Pow­er­Spy rep­re­sents a pri­va­cy prob­lem that Google hasn’t ful­ly con­sid­ered. Android makes pow­er con­sump­tion data avail­able to all apps for the pur­pose of debug­ging. But that means the data eas­i­ly could have been restrict­ed to devel­op­ers, nix­ing any chance for it to become a back­door method of pin­point­ing a user’s position.

Google didn’t respond to WIRED’s request for comment.

This isn’t the first time that Michalevsky and his col­leagues have used unex­pect­ed phone com­po­nents to deter­mine a user’s sen­si­tive infor­ma­tion. Last year the same researchers’ group, led by renowned cryp­tog­ra­ph­er Dan Boneh, found that they could exploit the gyro­scopes in a phone as crude micro­phones. That “gyro­phone” trick was able to to pick up dig­its spo­ken aloud into the phone, or even to deter­mine the speaker’s gen­der. “When­ev­er you grant any­one access to sen­sors on a device, you’re going to have unin­tend­ed con­se­quences,” Stan­ford pro­fes­sor Boneh told WIRED in August when that research was unveiled.

Stanford’s Michalevsky says that Pow­er­Spy is anoth­er reminder of the dan­ger of giv­ing untrust­ed apps access to a sen­sor that picks up more infor­ma­tion than it’s meant to. “We can abuse attack sur­faces in unex­pect­ed ways,” he says, “to leak infor­ma­tion in ways that it’s not sup­posed to leak.”

Read the full Pow­er­Spy paper below.

Pow­er­Spy: Loca­tion Track­ing using Mobile Device Pow­er Analy­sis by Andy Green­berg