AccuWeather sends user location data to monetization firm despite iOS privacy settings [u]...

Posted:
in iPhone edited August 2017
Popular iOS weather app AccuWeather, often listed as a top-ten app in the Weather section of the iOS App Store, has been collecting and forwarding user location information to data monetization company Reveal Mobile even when location sharing is disabled.




The potential breach of privacy was detailed by security researcher Will Strafach on Monday.

Strafach, who monitored data traffic on a test phone running AccuWeather in the background, discovered the app would send packets containing Wi-Fi router name and BSSID information to Reveal Mobile every few hours. That data can be crosschecked against publicly available router and MAC address location information to determine a user's whereabouts with relative precision.

Most troubling is that AccuWeather's Wi-Fi and MAC address data gathering operation continues when location services are disabled.

When the app is first installed, users can opt in to location tracking, which allows AccuWeather to push out severe weather alerts, critical updates and "make the app launch faster." According to Strafach, the app logs precise GPS coordinates, including current speed and altitude, router name and MAC address information, and device Bluetooth status when background location services are activated.

For Reveal Mobile, Bluetooth is an important piece of its core technology. As detailed in documentation on its website (PDF link), the company helps advertisers serve relevant content to consumers by harvesting location data from partner apps.

Reveal Mobile "turns the location data coming out of those apps into meaningful audience data. We listen for lat/long data and when a device 'bumps' into a Bluetooth beacon," the company says.

Users can decline app calls to activate location services, presented at first launch and again when searching for weather in a specific area, to limit the scope of data sent to offsite servers. However, as explained by Strafach, the continued transmission of Wi-Fi router information is problematic.

In a statement to ZDNet, Reveal Mobile said it does not use Wi-Fi and BSSID information for location determination.

"Everything is anonymized," said Brian Handley, CEO of Reveal Mobile. "We're not ever tracking an individual device." He went on to illustrate a situation in which Reveal can use the information to deliver advertisements to customers inside a Starbucks location.

In response to Strafach's revelations, Reveal Mobile issued a public statement clarifying its location tracking technology. The firm maintains that it follows all App Store guidelines and honors device level and app level opt-outs and permissions. In particular, the company says it does not reverse engineer device location based on "other data signals" when a user opts out of location services.

In light of the recent findings, however, Reveal Mobile is releasing a new iOS SDK that "no longer send[s] any data points which could be used to infer location when someone opts out of location sharing."

For its part, AccuWeather vice president of emerging platforms David Mitchell said the company plans to "use data through Reveal Mobile for audience segmentation and analysis, to build a greater audience understanding and create more contextually relevant and helpful experiences for users and for advertisers."

Following Strafach's blog post, a number of AccuWeather users abandoned the app over privacy concerns. As of this writing, the weather app stands in the No. 6 spot in the Weather section of the App Store.

Update: In a statement to AppleInsider, AccuWeather confirms Wi-Fi network information was available for "a short period" on the Reveal SDK, but went unused by the app. Whether that same data was used by Reveal Mobile was left unmentioned.

The statement in full:
Despite stories to the contrary from sources not connected to the actual information, if a user opts out of location tracking on AccuWeather, no GPS coordinates are collected or passed without further opt-in permission from the user.

Other data, such as Wi-Fi network information that is not user information, was for a short period available on the Reveal SDK, but was unused by AccuWeather. In fact, AccuWeather was unaware the data was available to it. Accordingly, at no point was the data used by AccuWeather for any purpose.

AccuWeather and Reveal Mobile are committed to following the standards and best practices of the industry. We also recognize this is a quickly evolving field and what is best practice one day may change the next. Accordingly, we work to update our practices regularly.

To avoid any further misinterpretation, Reveal is updating its SDK and pushing out new versions of the SDK in the next 24 hours, with the iOS update going live tonight. The end result should be that zero data is transmitted back to Reveal Mobile when someone opts out of location sharing. In the meanwhile, AccuWeather had already disabled the SDK, pending that update.

Reveal has stated that the SDK could be misconstrued, and they assure that no reverse engineering of locations was ever conducted by any information they gathered, nor was that the intent.

AccuWeather will work with Reveal to restore the SDK when it has been amended and will continue to update its ULAs to be transparent and current with evolving standards. AccuWeather and Reveal continue to enhance methods for handling data and strive to provide superior, seamless, and secure user experiences.

We are grateful to have a supportive community that highlights areas where we can optimize and be more transparent.
«1

Comments

  • Reply 1 of 33
    I have deleted this otherwise great app and will be taking additional action for the fraudulent misrepresentation.
    irelandsteven n.GeorgeBMacdysamoriaanton zuykov
  • Reply 2 of 33
    sirlance99sirlance99 Posts: 1,293member
    I have deleted this otherwise great app and will be taking additional action for the fraudulent misrepresentation.
    Additional action like what exactly? What do you expect to do or get? 

    It’s all kinds of wrong, I agree. It’s shameful and wrong but I just don’t see what you’ll be able to do. 
    king editor the grategatorguy
  • Reply 3 of 33
    macguimacgui Posts: 2,350member
    sirlance99 said:
    Additional action like what exactly? What do you expect to do or get? 
    Probably a sternly worded email to the Devs, followed by posts on various forums calling for a class action,  followed by shaking his fist at the sky.

    But doing something meaningful? I have to wonder. I wonder why he didn't say what that additional action would be.
    king editor the gratenetmage78Banditanton zuykov
  • Reply 4 of 33
    Deleted this app years ago. So many fine weather apps out there, and I just wasn't using it. Fave is Dark Sky. 
    hodarjbdragon
  • Reply 5 of 33
    F@$k those devs. Hopefully they get a slap on the wrist from Apple. Maybe even a boot from the App Store. My favorite weather app has to be Wunderground 
  • Reply 6 of 33
    cgWerkscgWerks Posts: 2,952member
    I've found it best to check through your cellular usage, location, background activity, backup status, etc. every now and then, especially after iOS updates. I've noticed settings flipped on a number of occasions where I'm pretty sure I didn't do it.

    Another thing to watch for, is that it appears one app can pass off permission to another app. For example, if I have cellular data enabled for Safari, but not YouTube... if you click a YouTube video in Safari, it fires up the YouTube app and will use cell data.

    And... then there's stuff like this where it ignores the settings. :(
    macguiGeorgeBMac
  • Reply 7 of 33
    I have deleted this otherwise great app and will be taking additional action for the fraudulent misrepresentation.
    Additional action like what exactly? What do you expect to do or get? 

    It’s all kinds of wrong, I agree. It’s shameful and wrong but I just don’t see what you’ll be able to do. 
     Action not involving whining anonymously on the Internet.
    spheric
  • Reply 8 of 33
    koopkoop Posts: 337member
    The only action you need to take is to delete the app, get something else and leave a 1 star review. 

    I usually use Dark Sky and Accuweather but I dumped it for WeatherBug Elite and it's as simple as that. 
  • Reply 9 of 33
    baconstangbaconstang Posts: 1,103member
    Well, that's usually what you get with 'free' apps.
    I use the iOS Weather app and RadarCast.  No ads.
    In fact I generally won't get an app unless there's an ad free version.
    dysamoria
  • Reply 10 of 33
    I have to admit I only use the built in weather app. I find weather apps to be useless but as a quick look over the week it's pretty good. The best weather app is to look out the window and see what the weather is doing. 100% accurate.
    muthuk_vanalingambaconstang
  • Reply 11 of 33
    Company statement- "We do not use this data to reverse engineer information for a location" also "we can deliver targeted ads to a user when in a Starbucks location."
    stompycgWerksbaconstang
  • Reply 12 of 33
    I have to admit I only use the built in weather app. I find weather apps to be useless but as a quick look over the week it's pretty good. The best weather app is to look out the window and see what the weather is doing. 100% accurate.

    I'm in the same boat. I use the stock apps if they are available. I'm not that avid an outdoor guy that I need to have the best and quickest Weather app.
    dysamoria
  • Reply 13 of 33
    Rayz2016Rayz2016 Posts: 6,957member
    Mmmm. 

    I thought that if you opted out the iOS itself would prevent the app from posting location data. 

    Heading over the App Store to watch the review carnage unfold. 
    edited August 2017 larryjw
  • Reply 14 of 33
    foggyhillfoggyhill Posts: 4,767member
    kick it off IOS then. See how they'll like that.
    GeorgeBMacdysamoriabaconstang
  • Reply 15 of 33
    glynhglynh Posts: 133member
    Rayz2016 said:
    Heading over the App Store to watch the review carnage unfold. 
    It's already started! I don't use it on any of my iOS devices but I do have it on two SmartTV's in my house.

    Well I did...I deleted it from both sets after I read this yesterday as a form of protest.

    Both Accuweather & Reveal Mobile (an apt name considering their core purpose it seems) deserve to be spanked financially for this IMHO.
    edited August 2017 GeorgeBMac
  • Reply 16 of 33
    Rayz2016 said:
    Mmmm. 

    I thought that if you opted out the iOS itself would prevent the app from posting location data. 

    Heading over the App Store to watch the review carnage unfold. 
    foggyhill said:
    kick it off IOS then. See how they'll like that.

    Isn't that the expectation from users? Surprised to see none of that has happened yet!!!
  • Reply 17 of 33
    bluefire1bluefire1 Posts: 1,301member
    koop said:
    The only action you need to take is to delete the app, get something else and leave a 1 star review. 

    I usually use Dark Sky and Accuweather but I dumped it for WeatherBug Elite and it's as simple as that. 
    Just dumped Accuweather as well. WeatherBug Elite is wonderful as is The Weather Channel app.

    edited August 2017
  • Reply 18 of 33
    and with that, the lawyers begin herding up random people to form a class action lawsuit.
  • Reply 19 of 33
    steven n.steven n. Posts: 1,229member
    I updated this paragraph of their response:
    FROM
    "AccuWeather and Reveal Mobile are committed to following the standards and best practices of the industry. We also recognize this is a quickly evolving field and what is best practice one day may change the next. Accordingly, we work to update our practices regularly."

    TO
    "AccuWeather and Reveal Mobile are [mindlessly] following the standards [] of the industry. We also recognize [we to caught] and what is [standard] practice one day may change the next. Accordingly, we work to [hide our actives regularly]"
  • Reply 20 of 33
    Rayz2016Rayz2016 Posts: 6,957member
    Rayz2016 said:
    Mmmm. 

    I thought that if you opted out the iOS itself would prevent the app from posting location data. 

    Heading over the App Store to watch the review carnage unfold. 
    foggyhill said:
    kick it off IOS then. See how they'll like that.

    Isn't that the expectation from users? Surprised to see none of that has happened yet!!!
    Right, I spoke without really understanding what they'd done. 

    iOS will stop the app posting location data, but they weren't using location services, by the looks of it. They used their app to interrogate the router. Because the location info wasn't coming from your actual phone (it is coming from the router you're connecting to) they think they were okay to do that. 

    To me, that's bollox. People who opt out of location services mean that they don't want their location accessed by YOUR APP, regardless of where the app is picking up and deriving the information. This is a betrayal of trust. 


    edited August 2017
Sign In or Register to comment.