Dozens of iOS apps secretly collect location history for data monetization, analysis says
GuardianApp, from the Sudo Security Group, finds that a number of iOS apps are secretly collecting and sending location histories and other sensitive user information to third-party data monetization firms.
According to a new report from GuardianApp, "a growing number of iOS apps have been used to covertly collect precise location histories from tens of millions of mobile devices, using packaged code provided by data monetization firms. In many cases, the packaged tracking code may run at all times, constantly sending user GPS coordinates and other information."
The information being collected includes Bluetooth LE Beacon Data, GPS Longitude and Latitude, Wi-Fi SSD and BSSID, and also such information as accelerometer data, battery charge performance and status, and even timestamps for departure/arrival to a location.
GuardianApp lists 24 apps that are "confirmed to send data to a third-party data monetization firm," including ASKfm: Ask Anonymous Questions, C25K 5K Trainer, Classifieds 2.0 Marketplace, Code Scanner by ScanLife, Coupon Sherpa, GasBuddy, Homes.com, Mobiletag, Moco, My Aurora Forecast, MyRadar NOAA Weather Radar, PayByPhone Parking, Perfect365, Photobucket, QuakeFeed Earthquake Alerts, Roadtrippers, ScoutLook Hunting, SnipSnap Coupon App, Tapatalk, The Coupons App, Tunity, Weather Live and YouMail.
GuardianApp has also found code from the monetization firm, RevealMobile, on the apps of several local TV stations owned by the Sinclair Broadcast Group, Tribune Broadcasting Company, LIN Television Corp., Gray Television Group and other broadcasters.
GuardianApp suggests using Apple's built-in Limit Ad Tracking feature to mitigate potential location sharing. The tool can be enabled by navigating to Settings > Privacy > Advertising. Further, vigilant users can select "Don't Allow" when iOS Location Services popup windows instructs them to "See privacy policy" or take similar action. The firm also suggests using a generic name for the SSID of a home Wi-Fi router and switching Bluetooth off when not in use.
Earlier on Friday, two major news stories broke about user data. Adware Doctor, formerly the top paid app in the Mac App Store, was pulled after a security researcher revealed it was exfiltrating user information to China, while a separate investigation revealed other malicious apps in the Mac App Store.
According to a new report from GuardianApp, "a growing number of iOS apps have been used to covertly collect precise location histories from tens of millions of mobile devices, using packaged code provided by data monetization firms. In many cases, the packaged tracking code may run at all times, constantly sending user GPS coordinates and other information."
The information being collected includes Bluetooth LE Beacon Data, GPS Longitude and Latitude, Wi-Fi SSD and BSSID, and also such information as accelerometer data, battery charge performance and status, and even timestamps for departure/arrival to a location.
GuardianApp lists 24 apps that are "confirmed to send data to a third-party data monetization firm," including ASKfm: Ask Anonymous Questions, C25K 5K Trainer, Classifieds 2.0 Marketplace, Code Scanner by ScanLife, Coupon Sherpa, GasBuddy, Homes.com, Mobiletag, Moco, My Aurora Forecast, MyRadar NOAA Weather Radar, PayByPhone Parking, Perfect365, Photobucket, QuakeFeed Earthquake Alerts, Roadtrippers, ScoutLook Hunting, SnipSnap Coupon App, Tapatalk, The Coupons App, Tunity, Weather Live and YouMail.
GuardianApp has also found code from the monetization firm, RevealMobile, on the apps of several local TV stations owned by the Sinclair Broadcast Group, Tribune Broadcasting Company, LIN Television Corp., Gray Television Group and other broadcasters.
GuardianApp suggests using Apple's built-in Limit Ad Tracking feature to mitigate potential location sharing. The tool can be enabled by navigating to Settings > Privacy > Advertising. Further, vigilant users can select "Don't Allow" when iOS Location Services popup windows instructs them to "See privacy policy" or take similar action. The firm also suggests using a generic name for the SSID of a home Wi-Fi router and switching Bluetooth off when not in use.
Earlier on Friday, two major news stories broke about user data. Adware Doctor, formerly the top paid app in the Mac App Store, was pulled after a security researcher revealed it was exfiltrating user information to China, while a separate investigation revealed other malicious apps in the Mac App Store.
Comments
How, then, is this a story? If they were able to get information from your device by BYPASSING your settings, then that to me would be a serious issue.
There's other threads today having to do with Mac and iOS apps that weren't legitimate to begin with. They were always meant to be scamming.
I hope that's not an official NOAA app!
NOAA hasn’t received enough funding to fully upgrade their web sites to use all the same style/branding, so I’m pretty sure they do not have an app development team in place to publish apps.
OTOH, people tend to forget that there is no such thing as “free” in the business world.
AppleInsider used to host a sub-forum for political discussion, but it was decided to shut it down. Here’s the explanation that was posted regarding that, back in October of last year.
————-
After a few days of discussion, reading and introspection we have decided to remove the PoliticalOutsider sub-forum from this site.
The truth of the matter is that forum acts like an ever-hanging full moon, emboldening otherwise reasonable people to twist and contort into something else, and as a shining beacon for people who just want to kick up some dirt to laugh at anyone who gets it in their eyes.
The final straw was the advertiser warning we received from Google over the weekend. It referenced a thread from 2007 where people had been discussing terrorism and the images that people thought were appropriate to include were, in a word, appalling. I specifically mention this not because of the advertiser warning (though that is pertinent), but because it highlights that PO has always kind-of been a problem that we've just been ignoring. That path is no longer sustainable.
Removal of this forum has nothing to do with our political leanings or beliefs, and we're not taking anyone's side. It has simply become clear that the benefits do not outweigh the issues it creates. As a small team it has become a large distraction for some, it causes problems with advertisers and indexers (this weekend is not the first time we've received such a warning), and to be completely honest it probably doesn't belong on a site for fans of Apple in the first place.
We are currently not making any other changes to our content policy.
Friendly reminder that you can add any web page bookmarks (for example: NOAA web sites) as icons on your iOS device’s home screen.
Never said I was and in the other thread I clearly stated so.
I hope you realize that Apps cannot get your Apple ID or identify you or your device. So that location history is useless since it can’t be tied to a specific individual.
I’m going to download a few of these and try them out. I want to see what permissions they ask for and also if they require a user to “sign in”. Signing in is the key part, as companies would need some way to identify you in order for this data to be useful (to them) or dangerous (to you).
As a general rule I won’t use any App that requires me to create an account (unless it’s very well known and they have a valid reason to need an account).
I will. Something like that (or a weather App) shouldn't require an account. It can get your location via GPS and provide you with the necessary information for your area already. You don't need to tell it where you live.
I think this is one area Apple needs to crack down on. Apps that require accounts to be set up must demonstrate why they need an account and what it's used for.
ASKfm immediately asks you to login. I couldn't get past the login screen to see what it asks for Permissions, so I deleted it after that.
Homes.com didn't ask for any login at all. It let me go straight to searching for homes. When I clicked on Search by Location it asked me if I wanted to allow the App to track location while using the App and had the obligatory "You can change this later" prompt. When I went into Settings my Permission was indeed set to "While Using". I uninstalled it and tried again and this time when it asked to search I typed in my location. So I was able to use this App without any login and even without location tracking (by manually entering a city to use). Not sure why this App is on their list since it would never be able to track your location and tie that to a user since there's no login required.
Tunity, like ASKfm, won't continue until you login. Again, don't know how it presents Permissions.
Roadtrippers asks you to login, but allows you to continue without logging in. It immediately asks for Location Permissions. Their dialog states you'll get reduced functionality (like discovery of nearby places) if you select Never or While Using, hinting you should pick Always.
That's my part. If anyone wants to try some other Apps to add to the list feel free. Obviously some Apps (ASKfm, Tunity) should not be trusted AT ALL as you can't use them without creating a login. Homes.com shouldn't even be on their list. While it might have tracking, the information is useless and presents no privacy concern since there's no login. They probably use the information just to see where people are looking for homes in general, not to mine personal usage. I think it's disingenuous of Guardian to include this App. GasBuddy and Roadtrippers can be used without a login, but the way they word it they try to get you to use a login and also try to get you to pick Always for Permissions. So they can be used safely, but you have to avoid using a login and make sure your Permissions are set properly.
I hate to say it but I'm hard pressed to see where most of these concerns will ever stop. Data is just data, but when you attach some sort of context to data it now transforms into Information. Information has always been significantly more valuable than data, which is why these companies crave it. I worked on a customer loyalty related software program more than 20 years ago and we ran into the same kinds of privacy and regulatory issues (with the same huffy posturing in the EU) that are at the forefront of today's conversations on essentially the same exact topics. That's 20+ years of conversations taking place with no clear resolution or consensus in sight. Perhaps we should reconvene in the year 2038 and pick up on this same conversation once again. I seriously doubt it will have progressed much beyond where it is today.
Still, I don't think we should just throw up our hands and give up. The truth is that users of these applications derive more value from these apps because the apps contextualize their services using the information they gather from us. At the very least there should be full disclosure, both ways. The app/service vendors should clearly identify to the end-user exactly what value (features and capabilities) the end-user is getting from the information they are voluntarily disclosing. The app/service vendor should also clearly identify what exact data and information they are collecting, saving, aggregation, and analyzing as well as the lifetime and expiry (if ever) of the data/information, both for cases where the end-user continues the relationship or decides to end it (and ideally have all traces of personally identifiable data and information purged). In other words, there should be a contract in place between the app/service vendor and the end-user. This sounds good, and in some cases these "contracts" are already in-place within the EULA and terms of service (TOS) that end-users agree to prior to using these apps and services. There is probably a lot more transparency in place than most end-users realize, bit it's hard to see the forest for the trees in EULA and TOS statement's legal babble.