{"id":18711,"date":"2017-08-23T15:34:32","date_gmt":"2017-08-23T19:34:32","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=18711"},"modified":"2019-02-13T16:55:14","modified_gmt":"2019-02-13T21:55:14","slug":"accuweather-caught-sending-user-location-data-even-when-location-sharing-is-off","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2017\/08\/23\/accuweather-caught-sending-user-location-data-even-when-location-sharing-is-off\/","title":{"rendered":"AccuWeather Caught Sending User Location Data, Even When Location Sharing Is Off"},"content":{"rendered":"

Zack Whittaker<\/a>:<\/p>\n

Security researcher Will Strafach intercepted the traffic from an iPhone running the latest version of AccuWeather and its servers and found that even when the app didn’t have permission to access the device’s precise location, the app would send the Wi-Fi router name and its unique MAC address to the servers of data monetization firm Reveal Mobile every few hours. That data can be correlated with public data to reveal an approximate location of a user’s device.<\/p>

[…]<\/p>

“Everything is anonymized,” said Brian Handley, the company’s chief executive. “We’re not ever tracking an individual device,” but described a situation where his company can point advertising to customers inside a Starbucks location, for example.<\/p>

[…]<\/p>

“Reveal is updating its SDK and pushing out new versions of the [software kit] in the next 24 hours, with the iOS update going live [Tuesday],” said an AccuWeather spokesperson. “The end result should be that zero data is transmitted back to Reveal Mobile when someone opts out of location sharing.”<\/p><\/blockquote>\n\n

Via John Gruber<\/a>:<\/p>\n

\n

To me this is a one strike and you’re out situation.<\/p>\n<\/blockquote>\n\n

Update (2017-08-23): Ron Gilbert<\/a>:<\/p>\n

iOS needs a setting to deny all internet access on an app-by-app basis, like they do access to the camera, contacts, etc.<\/p><\/blockquote>\n

This is probably the iOS feature that I want most, although without more fine-grained control it seems incompatible with certain app types like weather.<\/p>\n\n

Jacob Terry<\/a>:<\/p>\n

iOS should ask permission for network access similar to how it asks permission to access contacts and photos. Unlike those permissions, however, this one should be optional to the app author.<\/p>

[…]<\/p>

To distinguish apps that opt-in, Apple should brand the feature (“Secure Networking”, for example) and have an accompanying logo. Apps that opt-in should get a badge in the App Store, and Apple should promote the feature, especially to enterprises.<\/p>

One more thing: authorization should happen per domain.<\/p><\/blockquote>\n\n

Update (2017-08-24): John Gruber<\/a>:<\/p>\n

\n

AccuWeather issued a statement<\/a> regarding the controversy over their app sending location-identifying information to a monetization firm<\/a>. It’s a veritable mountain of horseshit<\/a>[…]<\/p>\n

[…]<\/p>\n

The accusation is not that AccuWeather itself was using the location of the Wi-Fi router, but that Reveal Mobile was.<\/p>\n

[…]<\/p>\n

In other words, Reveal Mobile makes money by revealing your location to retailers (anonymously, so they claim), and AccuWeather made money from Reveal by embedding their SDK in their app.<\/p>\n<\/blockquote>\n\n

Update (2017-08-28): Dark Sky<\/a>:<\/p>\n

\n

While the outrage may be warranted, the surprise shouldn’t be. This isn’t just a case of a single company monetizing their customer’s location data in a shady manner; it’s a much larger — and more widespread — phenomenon. How do I know? Because there are entire companies devoted to buying this very data from the countless apps that currently make use of location data, and they contact us all the freakin’ time.<\/em><\/p>\n

[…]<\/p>\n

Because of this, we also believe that Apple and Google should do more to prevent this sort of behavior. They should set — and aggressively enforce — clear App Store rules forbidding the sharing of location data for any<\/em> purposes not directly relevant to the app’s core functionality. If an app is caught breaking this rule, it should be removed from the store. This won’t stop all abuse, but it would, at the very least, put many of these data monetization companies out of the business of tracking where you go.<\/p>\n<\/blockquote>\n\n

Nick Heer<\/a>:<\/p>\n

\n

Here’s the thing, though: Grossman’s suggested response has been in place for years<\/em>. […] All Apple had to do in this case was enforce their own rules. I understand that something will occasionally slip through the cracks and it will sometimes be with a high-profile app, but this is really the sort of thing that should have been caught.<\/p>\n<\/blockquote>\n\n

AccuWeather has removed Reveal Mobile<\/a> but is now sending GPS coordinates to another company<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"

Zack Whittaker: Security researcher Will Strafach intercepted the traffic from an iPhone running the latest version of AccuWeather and its servers and found that even when the app didn’t have permission to access the device’s precise location, the app would send the Wi-Fi router name and its unique MAC address to the servers of data […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2019-02-13T21:55:16Z","apple_news_api_id":"418018e7-ceea-4ff2-b809-6f2475a5092f","apple_news_api_modified_at":"2019-02-13T21:55:16Z","apple_news_api_revision":"AAAAAAAAAAD\/\/\/\/\/\/\/\/\/\/w==","apple_news_api_share_url":"https:\/\/apple.news\/AQYAY587qT_K4CW8kdaUJLw","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[1561,354,432,31,1380,26,355,196],"class_list":["post-18711","post","type-post","status-publish","format-standard","hentry","category-technology","tag-accuweather","tag-advertising","tag-gps","tag-ios","tag-ios-10","tag-iosapp","tag-privacy","tag-weather"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/18711","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=18711"}],"version-history":[{"count":6,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/18711\/revisions"}],"predecessor-version":[{"id":18749,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/18711\/revisions\/18749"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=18711"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=18711"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=18711"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}