Airplane Mode Won't Save You: Chinese Police-University Team Fingerprints Phone Apps From EM Leakage at 99.07% Accuracy
TL;DR
A Chinese police-university team says leaked low-frequency EM radiation from a phone reveals which app is running, with up to 99.07% accuracy.
A research team at the People's Public Security University of China says the low-frequency electromagnetic radiation leaking from a smartphone is enough to tell which app is running on it, with accuracy peaking at 99.07%. The paper appeared in the peer-reviewed journal Radioengineering on May 22, 2026 and was first flagged in English by the South China Morning Post on July 7.
The team tested three current flagships — iPhone 15 Pro, Xiaomi 15 Pro and Oppo Reno 13 — against a spread of everyday software: Douyin, WeChat video calls, Baidu Maps, SMS, browsers, the camera app and cloud storage clients. The authors wrote that the pipeline works as a non-contact digital-forensics tool and "can provide objective technical corroboration for evidence reinforcement in digital forensics and non-contact investigations." It does not need to touch the operating system, unlock the device or read any stored data. In the paper's setup, the side channel keeps leaking while the phone is offline, in airplane mode, encrypted or locked — the noise radiated by the CPU, display and power modules is itself the fingerprint.
Handset makers have spent a decade sealing the OS, encrypting messages and pushing biometrics into a Secure Enclave. This channel walks around all of it. The phone sends no packets and the attacker still knows the user just opened Douyin instead of WeChat video.
The article sits in Radioengineering vol. 35, no. 1. Earlier work in this space mostly targeted PIN recovery, keyboard reconstruction or per-device fingerprinting; this is the first result pushing app-level behaviour recognition to the 99% band. Outside the forensics scenario the authors frame, the same EM chain in the hands of a stalker, corporate rival or abusive partner draws a physical-layer see-through ring around any handset in the room.
via SCMP / Radioengineering
The team tested three current flagships — iPhone 15 Pro, Xiaomi 15 Pro and Oppo Reno 13 — against a spread of everyday software: Douyin, WeChat video calls, Baidu Maps, SMS, browsers, the camera app and cloud storage clients. The authors wrote that the pipeline works as a non-contact digital-forensics tool and "can provide objective technical corroboration for evidence reinforcement in digital forensics and non-contact investigations." It does not need to touch the operating system, unlock the device or read any stored data. In the paper's setup, the side channel keeps leaking while the phone is offline, in airplane mode, encrypted or locked — the noise radiated by the CPU, display and power modules is itself the fingerprint.
Handset makers have spent a decade sealing the OS, encrypting messages and pushing biometrics into a Secure Enclave. This channel walks around all of it. The phone sends no packets and the attacker still knows the user just opened Douyin instead of WeChat video.
The article sits in Radioengineering vol. 35, no. 1. Earlier work in this space mostly targeted PIN recovery, keyboard reconstruction or per-device fingerprinting; this is the first result pushing app-level behaviour recognition to the 99% band. Outside the forensics scenario the authors frame, the same EM chain in the hands of a stalker, corporate rival or abusive partner draws a physical-layer see-through ring around any handset in the room.
via SCMP / Radioengineering
