Ever use AskFM on your iPhone? Or beauty app Perfect365? What about the NOAA Weather Radar for iOS? If yes, you’re one of millions of Apple iPhone users who’ve likely had their location data sold via the apps.
They’re just three of 24 popular iOS tools that either once or still do contain code that extracts location data to be sold for profit. That’s according to a report from Will Strafach, an iPhone security researcher and founder of GuardianApp, who warned of the privacy threat Friday.
Strafach investigated apps sold on the Apple App Store, looking for code from so-called “data monetization” companies. He believes they’re “covertly” taking users’ locations and selling them on to marketers, retailers and other interested partners. The information can then inform where and how best to deliver ads, or can be used in analytics products designed to inform sales and marketing strategies.
“The biggest concern is breach of trust,” Strafach told Forbes. “If an app says it would like you to allow access to Location Services for one thing, then sends your location data off to a company throughout the day in exchange for compensation, many would find that highly problematic.
“Most have not heard of these data firms and are having this data unknowingly collected.”
The full list of apps that have run the location tracking code and the companies making money from it can be found here.
Apple hadn’t responded to a request for comment at the time of publication.
The coders responsible for the apps and the location data monetization have different opinions to Strafach on just how “covert” they’re being.
On sign up, Forbes found the AskFM iPhone app showed a notification telling the user they can either accept the locating tracking or see ads within the app.
Huq’s chief marketing officer Alexander Fairfax said the company has a “very stringent on-boarding and approval process, which (per our partner agreement) requires them to detail what data they share with us and why.” Huq ensures the data is anonymized and is then used to provide research and analytics tools to clients in property, retail, finance and marketing. It doesn’t work in the ad space.
Brandon Bennett, CEO and co-founder at AreaMetrics, said the company was using AskFM to collect anonymized location information from Bluetooth beacons in retail stores. So when a user was in a store with a beacon, AreaMetrics would know they’d been there. That information could then be passed on to ad providers to better target their marketing. Bennett said AskFM made it clear to users it passed location information to AreaMetrics and claimed his company was trying to ensure customer privacy. As an example, he said that the company already required new partners to only detect Bluetooth beacon store visits without GPS coordinates.
But Strafach thinks the data companies should disclose how they share locations within notifications sent directly to the user, rather than in privacy policies that individuals have to navigate to. Currently, many do not, he claimed.
A spokesperson from the company behind NOAA Weather Radar, Apalon, said it had only briefly trialled the use of such location tracking earlier this year and gave users clear notice. The company said that when the test finished in April, it removed all tracking code associated with the providers, which, according to Strafach, included Factual, Sense 360 and Teemo. “We do not have a relationship with any of these companies and do not sell our customers’ data to anyone,” the Apalon spokesperson said.
Perfect365, which claims to have tens of millions of users, had used at least eight different location trackers, Strafach said. A spokesperson for the company didn’t have much to say on his findings. “Perfect365’s technology as well as their third party relationships are under strict NDA guidelines so we are unable to discuss. Perfect365 also publicly discloses their privacy policies on their website,” a spokesperson said.
This isn’t the first time such location tracking has caused a stir. Earlier this year, Accuweather decided to briefly remove code from location monetization partner Reveal Mobile, after a researcher found the latter’s code in the iOS weather app. That was because Accuweather was unaware Reveal was collecting Wi-Fi network data, amongst other information from iPhones. The companies denied claims that location would still be tracked even if the user had opted out.
But it’s not just the legal use of location data that has Strafach anxious. He also raised concerns about the potential for a major security breach at one of the location tracking businesses. “Even if they are truly responsible with the data, one data monetization firm getting hacked could mean millions of location histories being stolen.”