AccuWeather on iOS may be violating Apple’s developer agreement as well as user trust, a new security audit reveals. Will Strafach, a security researcher, discovered that the iOS weather app is potentially sending out the identifiable user and device information to a third-party company even when location data sharing is denied.
Over the years, user data collection has become somewhat of an expected experience with free mobile applications. By collecting user data, and selling it, companies are able to keep themselves funded and offer free applications. The issue then comes down to when those applications don’t properly disclose how and what data is being collected.
In Strafach’s research, he discovered that AccuWeather is collecting data through a third-party company’s SDK. This SDK, provided by RevealMobile, is marketed as a way to “help app publishers and media companies extract the maximum value from their location data.” If a user were to download and allow AccuWeather to use their location data they would unknowingly also share the following to RevealMobile:
- Their device’s precise GPS coordinates
- The name of the Wi-Fi network they are connected to
- Whether or not their Bluetooth is enabled
Of course, much of this data collection is covered by AccuWeather’s Privacy Statement.
You may be asked to provide personally identifiable information such as your name, address, and/or email address (collectively ‘Personally Identifiable Information’ or ‘PII’)…
You may be asked for information which is not considered PII, such as a zip/postal code and/or country of origin.
The policy technically covers a situation in which a user downloads the application, and accepts sharing location data. The user should then have an expectation that they may or may not be sharing personally identifiable information.
The dichotomy in the situation that Strafach discovered is that if a user were to deny the iOS location sharing request, RevealMobile will still receive potentially identifiable information. Specifically, they would know the user’s Wi-Fi network SSID and could then track geolocation using Bluetooth beacons.
If a user denies sharing their location data with iOS’ location sharing request prompt, then the expectation is that no location data is being shared at all. As of AccuWeather’s latest 10.5.2 version, a user could deny sharing their location and yet still be sharing unknowingly.
By denying geolocation data, users should be made explicitly aware that their location data may still be tracked as covered under AccuWeather’s Privacy Statement.
Using this data collection, RevealMobile is able to map out user interactions to create what they call “high-value audiences.” The issue here is to what extent this user data is anonymous. As Strafach notes, “This practice by a different company appears to have previously caught the attention of the FTC.”