Wednesday, August 23, 2017 [Tweets] [Favorites]

AccuWeather Caught Sending User Location Data, Even When Location Sharing Is Off

Zack Whittaker:

Security researcher Will Strafach intercepted the traffic from an iPhone running the latest version of AccuWeather and its servers and found that even when the app didn’t have permission to access the device’s precise location, the app would send the Wi-Fi router name and its unique MAC address to the servers of data monetization firm Reveal Mobile every few hours. That data can be correlated with public data to reveal an approximate location of a user’s device.

[…]

“Everything is anonymized,” said Brian Handley, the company’s chief executive. “We’re not ever tracking an individual device,” but described a situation where his company can point advertising to customers inside a Starbucks location, for example.

[…]

“Reveal is updating its SDK and pushing out new versions of the [software kit] in the next 24 hours, with the iOS update going live [Tuesday],” said an AccuWeather spokesperson. “The end result should be that zero data is transmitted back to Reveal Mobile when someone opts out of location sharing.”

Via John Gruber:

To me this is a one strike and you’re out situation.

Update (2017-08-23): Ron Gilbert:

iOS needs a setting to deny all internet access on an app-by-app basis, like they do access to the camera, contacts, etc.

This is probably the iOS feature that I want most, although without more fine-grained control it seems incompatible with certain app types like weather.

Jacob Terry:

iOS should ask permission for network access similar to how it asks permission to access contacts and photos. Unlike those permissions, however, this one should be optional to the app author.

[…]

To distinguish apps that opt-in, Apple should brand the feature (“Secure Networking”, for example) and have an accompanying logo. Apps that opt-in should get a badge in the App Store, and Apple should promote the feature, especially to enterprises.

One more thing: authorization should happen per domain.

Update (2017-08-24): John Gruber:

AccuWeather issued a statement regarding the controversy over their app sending location-identifying information to a monetization firm. It’s a veritable mountain of horseshit[…]

[…]

The accusation is not that AccuWeather itself was using the location of the Wi-Fi router, but that Reveal Mobile was.

[…]

In other words, Reveal Mobile makes money by revealing your location to retailers (anonymously, so they claim), and AccuWeather made money from Reveal by embedding their SDK in their app.

Update (2017-08-28): Dark Sky:

While the outrage may be warranted, the surprise shouldn’t be. This isn’t just a case of a single company monetizing their customer’s location data in a shady manner; it’s a much larger — and more widespread — phenomenon. How do I know? Because there are entire companies devoted to buying this very data from the countless apps that currently make use of location data, and they contact us all the freakin’ time.

[…]

Because of this, we also believe that Apple and Google should do more to prevent this sort of behavior. They should set — and aggressively enforce — clear App Store rules forbidding the sharing of location data for any purposes not directly relevant to the app’s core functionality. If an app is caught breaking this rule, it should be removed from the store. This won’t stop all abuse, but it would, at the very least, put many of these data monetization companies out of the business of tracking where you go.

Nick Heer:

Here’s the thing, though: Grossman’s suggested response has been in place for years. […] All Apple had to do in this case was enforce their own rules. I understand that something will occasionally slip through the cracks and it will sometimes be with a high-profile app, but this is really the sort of thing that should have been caught.

AccuWeather has removed Reveal Mobile but is now sending GPS coordinates to another company.

7 Comments

I may be missing something on the technical side, but I read Gruber's righteous anger at this as a way of deflecting blame away from where it really belongs. Sure, what AccuWeather did is sorta sleazy, but did they actually break any AppStore policies? And more to the point, why were they even able to do this in the first place?

In other words, why does Apple allow apps to access WiFi router names and MAC addresses? Is there any potential reason apps should ever have access to this info? And even if there is a potential reason, why isn't it regulated by the user per-app in the same way GPS is? The concept of geolocating by WiFi info isn't new, after all...

(Also worth noting that none of this would have ever come to light if the app had sent and received the info in encrypted form, rather than plain text. Which means that there's no reason to think other apps aren't doing this, and won't be caught.)

And tangentially:

"iOS needs a setting to deny all internet access on an app-by-app basis, like they do access to the camera, contacts, etc."

"This is probably the iOS feature that I want most, although without more fine-grained control it seems incompatible with certain app types like weather."

It occurred to me a while back that the ability to use Little Snitch to let an app have internet access in a restricted manner only works in practice because LS is a fringe product. If Apple ever built fine-grained internet access user control into iOS, thus giving it a broad audience, the adversary would adjust. Instead of directly sending traffic to 3rd party sites, apps and websites would begin sending potentially objectionable traffic to their own site, and re-routing the traffic to the 3rd party sites from there.

@Chucky Little Snitch’s protections are also a bit murky when many different services all use Amazon IP addresses. However, there are many apps that don’t need any network access at all, or perhaps only access via iCloud. I would be happy to be able to block my password app from the network entirely.

"Little Snitch’s protections are also a bit murky when many different services all use Amazon IP addresses. "

Oh, no doubt. But I'm still able to use it in a "fine-grained" manner to block various ad networks, analytics, trackers, and unnecessary Google services, etc. So, even though it is indeed murky, I can still block a fair amount of unwanted stuff.

-----

But to move off the tangent back to the main topic here: Beyond the sensible suggestion of allowing per-app network blocks, am I crazy to think iOS has no business exposing WiFi info to apps? Because if so, it would totally eliminate this kind of backdoor location tracking.

As you note, per-app network blocks wouldn't solve the problem that AccuWeather presented here.

Seamus McDermott

"iOS needs a setting to deny all internet access on an app-by-app basis, like they do access to the camera, contacts, etc."

"This is probably the iOS feature that I want most, although without more fine-grained control it seems incompatible with certain app types like weather."

iOS does support this. On all phones bought in mainland China in addition to the first run prompts for location and camera access, etc, there is a prompt for data usage. The user can select between WLAN, WLAN and Cellular, or none. These settings can later be reviewed in Settings>Mobile Data, in which there is an app by app listing of the data permissions.

Selecting none has the side effect of killing banner adds on apps that run alone (without internet access) as they can’t access data to download an ad.

Another particularity about the iPhones sold in mainland China is that they have a low-battery warning audible alert (20% and 10%) sound that can’t be turned off. It’s the same sound you hear through the headphones on other iPhones, ie. 3 descending tones in quick succession. This is on permanently and can’t be switched off (even on silent mode) in a similar fashion to the Japanese iPhones that have the camera sound hard-coded to be on.

The only legitimate reason for accessing MAC address and router names that I can think of is for a network mapping type app, or perhaps for something that wants to encrypt something such that it can only be decrypted on a certain network (this I think is mostly a TV/movie fantasy; seems too easy to spoof or unreliable if the router dies, etc.).

I'm guessing iOS 11 breaks this, as the release notes for the latest version of Network Analyzer Lite stated that it won't be able to display MAC addresses and device names for devices when running under iOS 11 due to iOS changes. Which makes network mapping/scanning basically useless (if I don't already know a device's IP address) in order to protect us from abusive actors. I wish Apple had locked it behind an entitlement instead, so that apps that really have a legitimate reason to gather/report this info could do so with Apple's permission, and bad actors would be stonewalled.

@Chucky Yes, it seems like there should be an entitlement so that this info is only available to network scanning apps. Although apps could probably still build their own “local network fingerprint” to some extent.

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment