During preparation for a workshop at DEF CON in August on locating privacy leaks in network traffic, we discovered a number of applications on both iOS and Android that were broadcasting precise location data back to the applications’ developers—in some cases in unencrypted formats. Research released late Friday by Sudo Security’s Guardian mobile firewall team provided some confirmation to our findings—and demonstrated that many apps are sharing location data with firms that market location data information without the users’ knowledge.
In a blog post entitled “Location Monetization in iOS Apps,” the Guardian team detailed 24 applications from the Apple iOS App Store that pushed data to 12 different “location-data monetization firms”—companies that collect precise location data from application users for profit. The 24 identified applications were found in a random sampling of the App Store’s top free applications, so there are likely many more apps for iOS surreptitiously selling user location data. Additionally, the Guardian team confirmed that one data-mining service was connected with apps from over 100 local broadcasters owned by companies such as Sinclair, Tribune Broadcasting, Fox, and Nexstar Media.
While some of these applications use location data from various sources as part of their service—several were weather applications, and one was a fitness tracker—others use location mostly “for providing you more relevant ads.” None explicitly stated that data was being shared with a third party.
GPS-based location services can be relatively easily managed on iOS devices and can be turned completely off for specific applications or in general. It’s also possible in iOS to limit ad tracking under iOS’ Privacy settings. But other methods of geolocation, including tracking nearby Wi-Fi networks and Bluetooth Low Energy (BLE) beacons, are less obvious—but potentially even more accurate. The applications identified by the Guardian team—some of them repackaged under multiple names for broadcasters’ mobile apps—passed along some or all of these types of geolocation information and in some cases collected:
- Accelerometer information (X-axis, Y-axis, Z-axis)
- The iOS device’s unique Advertising Identifier (IDFA)
- Battery-charge percentage and status (Battery or USB Charger)
- The cellular network’s mobile country code (MCC) and mobile network code (MNC)
- The name of the cellular network
- GPS altitude and/or speed
- Timestamps for arrival and departure at a specific location
Data points like these are used by firms such as InMarket to track retailers that an app user has visited (or stopped visiting). Cellular network data can be used for geolocation on its own, and other aspects of the device can be used to “fingerprint” the user across applications, as well as monitor behavior in certain locations. Ars was able to confirm samplings of Sudo Security’s data independently.
In addition to these sorts of revenue-generating location-data leaks, Ars found some iOS applications using location data for legitimate purposes that were leaking location data in plain text API requests. For example, while Weather Underground’s Wunderground application passes a great deal of its data using TLS encryption, the app sends precise coordinates for latitude and longitude that could be used to calculate the app user’s position as part of an unencrypted HTTP request to the application’s server.