AccuWeather’s iOS app may be up to something fishy. Security researcher Will

Strafach published a warning about the popular weather app’s behavior on Medium and users appear to be paying attention. 22 Aug Will Strafach ✔ @chronic Replying to @chronic maybe more of an issue with AccuWeather than Reveal, but I also don't think sharing your location to get local alerts counts as opting in. Follow Will Strafach ✔ @chronic I would find this less concerning if the AccuWeather's permission dialog mentioned tracking your home/work location, where you travel, etc. 10:09 PM - Aug 22, 2017 7 7 Replies 2 2 Retweets 9 9 likes Twitter Ads info and privacy According to Strafach’s Medium post, the AccuWeather app requests location permission from users not to provide customized location-based weather data but to send some quite specific geodata to a third-party company called RevealMobile. That includes: “Your precise GPS coordinates, including current speed and altitude. The name and “BSSID” of the Wi-Fi router you are currently connected to, which can be used for geolocation through various online services. Whether your device has bluetooth turned on or off.” Follow Will Strafach ✔ @chronic yes, if you don’t allow GPS access, still sends Wi-Fi BSSID and apparently uses Blurtooth beacons for geolocation. https://twitter.com/GeorgeHappens/status/899785781585354753 … 8:12 AM - Aug 22, 2017 4 4 Replies 7 7 Retweets 11 11 likes Twitter Ads info and privacy Notably, turning off location data for AccuWeather doesn’t do much to limit the app’s reach. As Strafach’s Medium post notes, “If you do not grant AccuWeather access to your GPS information, it will still send your Wi-Fi router name and BSSID, providing RevealMobile access to less precise location information regarding your device’s whereabouts. This practice by a different company appears to have previously caught the attention of the FTC.” RevealMobile appears to specialize in mobile revenue and leveraging location data for ad targeting. “The value lies in understanding the path of a consumer and where they go throughout the day,” the company explains in a blog post on its homepage. “Traveling from home to work to retail to soccer practice to dinner is vital to knowing the customer, and represents the new opportunity of mobile location data.” 22 Aug Will Strafach ✔ @chronic Replying to @chronic I would find this less concerning if the AccuWeather's permission dialog mentioned tracking your home/work location, where you travel, etc. Follow Will Strafach ✔ @chronic finally: it is not just RevealMobile doing this. there are at least two other companies quietly collecting similar info using embedded code. 10:15 PM - Aug 22, 2017 3 3 Replies 3 3 Retweets 3 3 likes Twitter Ads info and privacy For anyone privacy-aware, this practice likely won’t come as a shock, but it’s still unsettling. AccuWeather is a popular forecast app, and one that users might trust to use their location for weather-related purposes rather than third-party data sales. As Strafach notes, AccuWeather isn’t alone in sharing this kind of tracking data by failing to be transparent. Still, that doesn’t change a bad privacy policy — and it doesn’t make the users taking to Twitter to express their outrage any less creeped out. TechCrunch has reached out to AccuWeather for more insight and will update the story as it develops. Update: AccuWeather sent TechCrunch the following statement. Despite stories to the contrary from sources not connected to the actual information, if a user opts out of location tracking on AccuWeather, no GPS coordinates are collected or passed without further opt-in permission from the user. Other data, such as Wi-Fi network information that is not user information, was for a short period available on the Reveal SDK, but was unused by AccuWeather. In fact, AccuWeather was unaware the data was available to it. Accordingly, at no point was the data used by AccuWeather for any purpose. AccuWeather and Reveal Mobile are committed to following the standards and best practices of the industry. We also recognize this is a quickly evolving field and what is best practice one day may change the next. Accordingly, we work to update our practices regularly. To avoid any further misinterpretation, while Reveal is updating its SDK, AccuWeather will be removing the Reveal SDK from its iOS app until it is fully compliant with appropriate requirements. Once reinstated, the end result should be that zero data is transmitted back to Reveal Mobile when someone opts out of location sharing. In the meanwhile, AccuWeather had already disabled the SDK, pending removal of the SDK and then later reinstatement. Reveal has stated that the SDK could be misconstrued, and they assure that no reverse engineering of locations was ever conducted by any information they gathered, nor was that the intent. AccuWeather will to update its practices, communications and ULAs to be transparent and current with evolving standards. AccuWeather and Reveal continue to enhance methods for handling data and strive to provide superior, seamless, and secure user experiences. We are grateful to have a supportive community that highlights areas where we can optimize and be more transparent.
Previous Post Next Post