AccuWeather on iOS might be deceiving users and violating Apple’s developer terms of service, security expert Will Strafach has discovered. If you deny it access to location info, the popular app reportedly still sends WiFi data, namely your router name and BSSID, to a third-party ad firm called Reveal Mobile. Furthermore, the app can even track you when it’s not open by using Bluetooth beacon data.
Strafach, well known for his early iOS jailbreak hacks, notes that he was actually researching a separate security problem on Accuweather’s iOS app. However, during testing he discovered that the app sent data 16 times to Reveal Mobile, installed as a third-party SDK on AccuWeather. According to the company’s own PR, it works as a way “to help app publishers and media companies extract the maximum value from their location data.” That can generate a lot of money both for Reveal Mobile and AccuWeather, he notes.
Furthermore, Reveal Mobile’s SDK may also collect user location data via Bluetooth beacons, Strafach believes. According to Reveal Mobile’s own product description, when you’re near one, it can figure out your location and turn the info into data it can sell. “While traditional lat/long audiences require the app to be open and running, detecting or ‘bumping’ beacons can occur when apps are not in use,” the company writes. “This allows Reveal Mobile to build larger, and more accurate, location-based audiences.”
Obviously, the company can generate more revenue if an app collects data even when users opt out. However, that “violate[s] user trust,” Strafach notes, and seemingly Apple’s developer agreement as well.
You may not track an end-user’s WiFi network usage to determine their location if they have disabled location services for your application. –Apple developer agreement.
Though tracking WiFi BSSID names may seem innocuous, the FTC is investigating a company called InMobi about that same thing, he adds. “By collecting the BSSID (i.e., a unique identifier) of the WiFi networks that a consumer’s device connected to or was in-range of, and feeding this information into its geocoder database, InMobi could then infer the consumer’s location,” the FTC says, adding that InMobi also did this when users opted out of geolocalization.
On Twitter, Strafach replied to users who say that app tracking is expected nowadays. “Most app analytics are usually quite tame … this case goes further than what most apps do.” Tracking such information doesn’t appear to be possible on Android, as Google has been aware of the potential for WiFi tracking abuse for a while now. Since version 6.0 (Marshmallow), applications must obtain user permission before they can access a network’s BSSID. We’ve reached out to Apple and AccuWeather for more information.
Update: Reveal has provided an emailed statement to Engadget and said that it “honors all operating system level ‘limit ad tracking’ and ‘do not track’ permissions.” At the same time, it said that “in looking at our current SDK’s behavior, we see how that can be misconstrued.” Its full statement to Engadget is below, and they expanded on it in a blog post. On Twitter, Strafach noted the statement and said “I do not personally agree with their logic, but feel free to read and decide.”
We don’t attempt to reverse engineer a device’s location if someone opts out of location services, regardless of the data signal it comes from. In looking at our current SDK’s behavior, we see how that can be misconstrued. In response to that, we’re releasing a new version of our SDK today which will no longer send any data points which could be used to infer location when someone opts out of location sharing.
Via: 9 to 5 Mac
Source: Will Strafach (Medium)
Engadget RSS Feed