Dozens of iOS apps secretly collect location history for data monetization, analysis says

Posted:
in General Discussion edited September 2018
GuardianApp, from the Sudo Security Group, finds that a number of iOS apps are secretly collecting and sending location histories and other sensitive user information to third-party data monetization firms.

GuardianApp


According to a new report from GuardianApp, "a growing number of iOS apps have been used to covertly collect precise location histories from tens of millions of mobile devices, using packaged code provided by data monetization firms. In many cases, the packaged tracking code may run at all times, constantly sending user GPS coordinates and other information."

The information being collected includes Bluetooth LE Beacon Data, GPS Longitude and Latitude, Wi-Fi SSD and BSSID, and also such information as accelerometer data, battery charge performance and status, and even timestamps for departure/arrival to a location.

GuardianApp lists 24 apps that are "confirmed to send data to a third-party data monetization firm," including ASKfm: Ask Anonymous Questions, C25K 5K Trainer, Classifieds 2.0 Marketplace, Code Scanner by ScanLife, Coupon Sherpa, GasBuddy, Homes.com, Mobiletag, Moco, My Aurora Forecast, MyRadar NOAA Weather Radar, PayByPhone Parking, Perfect365, Photobucket, QuakeFeed Earthquake Alerts, Roadtrippers, ScoutLook Hunting, SnipSnap Coupon App, Tapatalk, The Coupons App, Tunity, Weather Live and YouMail.

GuardianApp has also found code from the monetization firm, RevealMobile, on the apps of several local TV stations owned by the Sinclair Broadcast Group, Tribune Broadcasting Company, LIN Television Corp., Gray Television Group and other broadcasters.

GuardianApp suggests using Apple's built-in Limit Ad Tracking feature to mitigate potential location sharing. The tool can be enabled by navigating to Settings > Privacy > Advertising. Further, vigilant users can select "Don't Allow" when iOS Location Services popup windows instructs them to "See privacy policy" or take similar action. The firm also suggests using a generic name for the SSID of a home Wi-Fi router and switching Bluetooth off when not in use.

Earlier on Friday, two major news stories broke about user data. Adware Doctor, formerly the top paid app in the Mac App Store, was pulled after a security researcher revealed it was exfiltrating user information to China, while a separate investigation revealed other malicious apps in the Mac App Store.
«1

Comments

  • Reply 1 of 28
    So, these Apps can't track you if you have set their permissions to "Don't Allow"?

    How, then, is this a story? If they were able to get information from your device by BYPASSING your settings, then that to me would be a serious issue.
    jbdragonmagman1979watto_cobraolsanantksundaram
  • Reply 2 of 28
    gatorguygatorguy Posts: 24,176member
    So, these Apps can't track you if you have set their permissions to "Don't Allow"?

    How, then, is this a story? If they were able to get information from your device by BYPASSING your settings, then that to me would be a serious issue.
    A weather app would be kind of useless without knowing your location don't you think. Same with a gas price or travel app. That's the story with this particular one. Obviously you're going to grant the permission needed for the app to operate. Otherwise you wouldn't allow it to be installed. It's what they're doing after the fact with the user data that you've given them access to. In other words otherwise legitimate and useful apps selling data to brokers.

    There's other threads today having to do with Mac and iOS apps that weren't legitimate to begin with. They were always meant to be scamming.

    edited September 2018 newBelieverjbdragonjohn.banantksundaramGeorgeBMacJaiOh81muthuk_vanalingam
  • Reply 3 of 28
    So, these Apps can't track you if you have set their permissions to "Don't Allow"?

    How, then, is this a story? If they were able to get information from your device by BYPASSING your settings, then that to me would be a serious issue.
    So you're happy with apps taking your extremely sensitive and precise location history and selling it advertisers (or worse) without disclosing this to you?  Wow.   :o

    I hope that's not an official NOAA app!
    magman1979GeorgeBMacgatorguymuthuk_vanalingamJaiOh81
  • Reply 4 of 28
    s.metcalf said:
    So, these Apps can't track you if you have set their permissions to "Don't Allow"?

    How, then, is this a story? If they were able to get information from your device by BYPASSING your settings, then that to me would be a serious issue.
    So you're happy with apps taking your extremely sensitive and precise location history and selling it advertisers (or worse) without disclosing this to you?  Wow.   :o

    I hope that's not an official NOAA app!
    As a weather enthusiast, let me state that every weather app that has NOAA in the title in the App Store is both not officially from NOAA, and usually garbage.

    NOAA hasn’t received enough funding to fully upgrade their web sites to use all the same style/branding, so I’m pretty sure they do not have an app development team in place to publish apps.
  • Reply 5 of 28
    if blogs can't leave comments open for all articles, they shouldn't post them. already left Engadget for doing that. if Appleinsider continues will find somewhere else to hear real people converse about everything Apple
    anantksundaramwilliamlondon
  • Reply 6 of 28
    I’m surprised Foursquare and Swarm are not in there. They always bother me to allow them access to my location for all the time I’m using my phone. I said no thanks. 
    watto_cobrasweetheart777
  • Reply 7 of 28
    iqatedoiqatedo Posts: 1,822member
    Apple sells (third party) kitchen scales that requires an account with the vendor to use. An iOS app would suffice but vendor, using the new EU laws on privacy as an excuse, changed the terms of use.  When originally purchased an account was not necessary and should not be now. Apple I believe, should remove such products from sale.
  • Reply 8 of 28
    nunzynunzy Posts: 662member
    I find this very hard to believe. Apple protects us from spyware. That's why Apple only allows us to install the software they sell. So we don't have to worry. They test every app three ways from Sunday before they sell it to us.
  • Reply 9 of 28
    While of course one might argue that for sure things are expected to be even worse on the Android side of things, I find this disturbing and I wish Apple would clearly mark “clean” apps and such that contain “data collection and sell” code equally in a transparent way.
    OTOH, people tend to forget that there is no such thing as “free” in the business world. 
    watto_cobraJaiOh81
  • Reply 10 of 28
    radarthekatradarthekat Posts: 3,842moderator
    grifmx said:
    if blogs can't leave comments open for all articles, they shouldn't post them. already left Engadget for doing that. if Appleinsider continues will find somewhere else to hear real people converse about everything Apple
    You do understand that political articles don’t allow comments here as a service to the readership; to prevent political spats breaking out among the meaningful and informative comments.  So if that’s not for you, maybe you aren’t the audience for this site.

    AppleInsider used to host a sub-forum for political discussion, but it was decided to shut it down.  Here’s the explanation that was posted regarding that, back in October of last year.  

    ————-
    After a few days of discussion, reading and introspection we have decided to remove the PoliticalOutsider sub-forum from this site.

    The truth of the matter is that forum acts like an ever-hanging full moon, emboldening otherwise reasonable people to twist and contort into something else, and as a shining beacon for people who just want to kick up some dirt to laugh at anyone who gets it in their eyes. 

    The final straw was the advertiser warning we received from Google over the weekend. It referenced a thread from 2007 where people had been discussing terrorism and the images that people thought were appropriate to include were, in a word, appalling. I specifically mention this not because of the advertiser warning (though that is pertinent), but because it highlights that PO has always kind-of been a problem that we've just been ignoring. That path is no longer sustainable.

    Removal of this forum has nothing to do with our political leanings or beliefs, and we're not taking anyone's side. It has simply become clear that the benefits do not outweigh the issues it creates. As a small team it has become a large distraction for some, it causes problems with advertisers and indexers (this weekend is not the first time we've received such a warning), and to be completely honest it probably doesn't belong on a site for fans of Apple in the first place.

    We are currently not making any other changes to our content policy.
    GeorgeBMacdewmewilliamlondonbackstabJaiOh811STnTENDERBITS
  • Reply 11 of 28
    damonfdamonf Posts: 229member
    taugust04_ai said:

    As a weather enthusiast, let me state that every weather app that has NOAA in the title in the App Store is both not officially from NOAA, and usually garbage.

    NOAA hasn’t received enough funding to fully upgrade their web sites to use all the same style/branding, so I’m pretty sure they do not have an app development team in place to publish apps.
    I listen to the WeatherBrains podcast, and it has been mentioned on a few occasions that NOAA unfortunately isn’t allowed to create apps as such apps would supposedly “compete” with apps from the private sector.  Though I believe that providing funding to create and maintain them is a secondary reason.  Because why they are allowed to “compete” on the web through their web sites but not in apps on smartphones doesn’t make sense. 

    Friendly reminder that you can add any web page bookmarks (for example: NOAA web sites) as icons on your iOS device’s home screen. :wink: 
  • Reply 12 of 28
    Apple may position itself as the privacy/user advocate choice in the market, but that doesn't necessarily apply to others who inhabit the platform and are allowed within the system.  The company still collects an large amount of data, even if it pledges to anonymize it, and anyone who has even run a connection monitor like Little Snitch knows the numerous connections made to Apple servers in the course of seemingly benign, normal usage.

    I actively try to avoid specialized apps in general, especially when they don't offer any benefit above and beyond what is replicated by visiting a website.  Even visiting with a browser can reveal a myriad of data, but at least it's a more recognized and defined set, as opposed to who knows what an app sends back and forth.

    Anyone who expects this (non) revelation to prompt Apple to take any action only has to be reminded of how Tim Cook personally handled Uber's surreptitious tracking of users, intentionally designed to be hidden from Apple's notice.

    Uber CEO Travis Kalanick was summoned to Cupertino, and merely scolded by Cook, and only threatened with expulsion from the app store.

    No other action was taken.  No ban, not even a temporary removal from the store until the fix was enacted, which wouldn't have impacted users who already had the app in use.  In short, Cook let them get away with it scot-free when any regular consumer of Apple news knows that others have had their apps flicked for much lesser offenses.  Too big to ban?

    Words don't carry weight without action, and the leader of the company only punted when presented with the opportunity to act according to the company principles he espouses.
    edited September 2018 dewmewilliamlondonJaiOh81propod
  • Reply 13 of 28
    croprcropr Posts: 1,122member
    GuardianApp only detects cases where the app is directly connecting to the monetization companies.  Sadly, that is the only the tip of iceberg.

    Using any app that connects to any server makes you vulnerable.  Based on your IP address, the server can get a pretty good idea where you are located.  It is even quite accurate if you are connected via a 3G or 4G network.   And if the app needs some kind of sign in, your full details (name, email, ...) are available at the server, which can leak these details to a monetization firm.  GardianApp does not detect this scheme, but your data is sent.   And even worse, in such a schema the app is fully compliant to the App Store rules, so Apple has no means to intervene.   App developers don't have to ask permission for a connection to a server. (@Nunzy: ; so don't be so naive)

    The GDPR rules in the EU forbid such a scheme, so in the EU (and currently only there) this way of working is no longer allowed without explicit consent of the user.   How the EU would enforce this GDPR policy is another discussion.





    nunzy
  • Reply 14 of 28
    s.metcalf said:
    So, these Apps can't track you if you have set their permissions to "Don't Allow"?

    How, then, is this a story? If they were able to get information from your device by BYPASSING your settings, then that to me would be a serious issue.
    So you're happy with apps taking your extremely sensitive and precise location history and selling it advertisers (or worse) without disclosing this to you?  Wow.   :o

    I hope that's not an official NOAA app!

    Never said I was and in the other thread I clearly stated so.

    I hope you realize that Apps cannot get your Apple ID or identify you or your device. So that location history is useless since it can’t be tied to a specific individual.

    I’m going to download a few of these and try them out. I want to see what permissions they ask for and also if they require a user to “sign in”. Signing in is the key part, as companies would need some way to identify you in order for this data to be useful (to them) or dangerous (to you).

    As a general rule I won’t use any App that requires me to create an account (unless it’s very well known and they have a valid reason to need an account).
    williamlondonwatto_cobra
  • Reply 15 of 28
    gatorguygatorguy Posts: 24,176member
    s.metcalf said:
    So, these Apps can't track you if you have set their permissions to "Don't Allow"?

    How, then, is this a story? If they were able to get information from your device by BYPASSING your settings, then that to me would be a serious issue.
    So you're happy with apps taking your extremely sensitive and precise location history and selling it advertisers (or worse) without disclosing this to you?  Wow.   :o

    I hope that's not an official NOAA app!

    Never said I was and in the other thread I clearly stated so.

    I hope you realize that Apps cannot get your Apple ID or identify you or your device. So that location history is useless since it can’t be tied to a specific individual.

    I’m going to download a few of these and try them out. I want to see what permissions they ask for and also if they require a user to “sign in”. Signing in is the key part, as companies would need some way to identify you in order for this data to be useful (to them) or dangerous (to you).

    As a general rule I won’t use any App that requires me to create an account (unless it’s very well known and they have a valid reason to need an account).
    Try Gas Buddy then, one of the data-monetizing apps. I think that should cover all those bases, including legitimate reasons to have an account . 
    edited September 2018
  • Reply 16 of 28
    gatorguy said:
    s.metcalf said:
    So, these Apps can't track you if you have set their permissions to "Don't Allow"?

    How, then, is this a story? If they were able to get information from your device by BYPASSING your settings, then that to me would be a serious issue.
    So you're happy with apps taking your extremely sensitive and precise location history and selling it advertisers (or worse) without disclosing this to you?  Wow.   :o

    I hope that's not an official NOAA app!

    Never said I was and in the other thread I clearly stated so.

    I hope you realize that Apps cannot get your Apple ID or identify you or your device. So that location history is useless since it can’t be tied to a specific individual.

    I’m going to download a few of these and try them out. I want to see what permissions they ask for and also if they require a user to “sign in”. Signing in is the key part, as companies would need some way to identify you in order for this data to be useful (to them) or dangerous (to you).

    As a general rule I won’t use any App that requires me to create an account (unless it’s very well known and they have a valid reason to need an account).
    Try Gas Buddy then. I think that should cover all those bases. 

    I will. Something like that (or a weather App) shouldn't require an account. It can get your location via GPS and provide you with the necessary information for your area already. You don't need to tell it where you live.

    I think this is one area Apple needs to crack down on. Apps that require accounts to be set up must demonstrate why they need an account and what it's used for.
    watto_cobra
  • Reply 17 of 28
    gatorguygatorguy Posts: 24,176member
    gatorguy said:
    s.metcalf said:
    So, these Apps can't track you if you have set their permissions to "Don't Allow"?

    How, then, is this a story? If they were able to get information from your device by BYPASSING your settings, then that to me would be a serious issue.
    So you're happy with apps taking your extremely sensitive and precise location history and selling it advertisers (or worse) without disclosing this to you?  Wow.   :o

    I hope that's not an official NOAA app!

    Never said I was and in the other thread I clearly stated so.

    I hope you realize that Apps cannot get your Apple ID or identify you or your device. So that location history is useless since it can’t be tied to a specific individual.

    I’m going to download a few of these and try them out. I want to see what permissions they ask for and also if they require a user to “sign in”. Signing in is the key part, as companies would need some way to identify you in order for this data to be useful (to them) or dangerous (to you).

    As a general rule I won’t use any App that requires me to create an account (unless it’s very well known and they have a valid reason to need an account).
    Try Gas Buddy then. I think that should cover all those bases. 

    I will. Something like that (or a weather App) shouldn't require an account. It can get your location via GPS and provide you with the necessary information for your area already. You don't need to tell it where you live.

    I think this is one area Apple needs to crack down on. Apps that require accounts to be set up must demonstrate why they need an account and what it's used for.
    You'll find the rationale for an account with GasBuddy
  • Reply 18 of 28
    genovellegenovelle Posts: 1,480member
    nunzy said:
    I find this very hard to believe. Apple protects us from spyware. That's why Apple only allows us to install the software they sell. So we don't have to worry. They test every app three ways from Sunday before they sell it to us.
    The key is, if you trust the company and allow them access and they violate their privacy agreement, they are at fault not Apple. It’s not Apple’s job after the fact to make sure each of these companies remain within the law after they have the data. They will penalize them for Breaching the trust. 
    watto_cobra
  • Reply 19 of 28
    GasBuddy asks you to login right away with Facebook, Google or e-mail. There's a "Later" option to use without creating a login. When it shows an explanation for Permissions, it highlights "Always" to try and suggest to you to pick Always when the actual iOS Permissions dialog comes up. It seemed to work fine without me logging in. Didn't use it long enough to see if will nag you later to login.

    ASKfm immediately asks you to login. I couldn't get past the login screen to see what it asks for Permissions, so I deleted it after that.

    Homes.com didn't ask for any login at all. It let me go straight to searching for homes. When I clicked on Search by Location it asked me if I wanted to allow the App to track location while using the App and had the obligatory "You can change this later" prompt. When I went into Settings my Permission was indeed set to "While Using". I uninstalled it and tried again and this time when it asked to search I typed in my location. So I was able to use this App without any login and even without location tracking (by manually entering a city to use). Not sure why this App is on their list since it would never be able to track your location and tie that to a user since there's no login required.

    Tunity, like ASKfm, won't continue until you login. Again, don't know how it presents Permissions.

    Roadtrippers asks you to login, but allows you to continue without logging in. It immediately asks for Location Permissions. Their dialog states you'll get reduced functionality (like discovery of nearby places) if you select Never or While Using, hinting you should pick Always.


    That's my part. If anyone wants to try some other Apps to add to the list feel free. Obviously some Apps (ASKfm, Tunity) should not be trusted AT ALL as you can't use them without creating a login. Homes.com shouldn't even be on their list. While it might have tracking, the information is useless and presents no privacy concern since there's no login. They probably use the information just to see where people are looking for homes in general, not to mine personal usage. I think it's disingenuous of Guardian to include this App. GasBuddy and Roadtrippers can be used without a login, but the way they word it they try to get you to use a login and also try to get you to pick Always for Permissions. So they can be used safely, but you have to avoid using a login and make sure your Permissions are set properly.
    JaiOh81watto_cobra
  • Reply 20 of 28
    dewmedewme Posts: 5,328member
    At least on one front, apps that require Location information (include Apple's built-in apps) have largely moved to a model that allows you to only grant access to location information when you are actually using the app rather than at all times. This is a net improvement, albeit a small one since the consumer of this data is still able to compile a history of your location data if they can associate it with device and/or user identifiable information.

    I hate to say it but I'm hard pressed to see where most of these concerns will ever stop. Data is just data, but when you attach some sort of context to data it now transforms into Information. Information has always been significantly more valuable than data, which is why these companies crave it. I worked on a customer loyalty related software program more than 20 years ago and we ran into the same kinds of privacy and regulatory issues (with the same huffy posturing in the EU) that are at the forefront of today's conversations on essentially the same exact topics. That's 20+ years of conversations taking place with no clear resolution or consensus in sight. Perhaps we should reconvene in the year 2038 and pick up on this same conversation once again. I seriously doubt it will have progressed much beyond where it is today. 

    Still, I don't think we should just throw up our hands and give up. The truth is that users of these applications derive more value from these apps because the apps contextualize their services using the information they gather from us. At the very least there should be full disclosure, both ways. The app/service vendors should clearly identify to the end-user exactly what value (features and capabilities) the end-user is getting from the information they are voluntarily disclosing. The app/service vendor should also clearly identify what exact data and information they are collecting, saving, aggregation, and analyzing as well as the lifetime and expiry (if ever) of the data/information, both for cases where the end-user continues the relationship or decides to end it (and ideally have all traces of personally identifiable data and information purged). In other words, there should be a contract in place between the app/service vendor and the end-user. This sounds good, and in some cases these "contracts" are already in-place within the EULA and terms of service (TOS) that end-users agree to prior to using these apps and services. There is probably a lot more transparency in place than most end-users realize, bit it's hard to see the forest for the trees in EULA and TOS statement's legal babble.
    watto_cobra
Sign In or Register to comment.