New research shared with 9to5Mac claims that more than two dozen iOS apps including weather and fitness trackers contain code that covertly shares user location and other information with data monetization firms. These apps have been available on the App Store despite Apple’s strong policies on privacy and protecting customer data. There are steps users can take to mitigate data exposure to these monetization firms when using affected apps — or you can avoid affected apps altogether.
9to5Mac Happy Hour
According to Sudo Security Group’s GuardianApp, an effort led by security researcher Will Strafach, several popular iOS apps “have been used to covertly collect precise location histories from tens of millions of mobile devices, using packaged code provided by data monetization firms.” The security report claims that in some instances these apps have been used to send constantly updated GPS coordinates to companies that make money from acquiring and selling customer data.
iOS gives users granular control over which apps have access to location data, but affected apps included in the security report rely on location for features like local weather reports and accurate fitness tracking. Users should reasonably expect to grant these apps location access without data monetization firms acquiring shared data.
In order to gain initial access to precise data from the mobile device’s GPS sensors, the apps usually present a plausible justification relevant to the app in the Location Services permission dialog, often with little or no mention of the fact that location data will be shared with third-party entities for purposes unrelated to app operation.
All location data monetization firms listed on this page collect one or more of the following data points:
- Bluetooth LE Beacon Data
- GPS Longitude and Latitude
- Wi-Fi SSID (Network Name) and BSSID (Network MAC Address)
In addition, some firms also collect the following types of less sensitive device information:
- Accelerometer Information (X-axis, Y-axis, Z-axis)
- Advertising Identifier (IDFA)
- Battery Charge Percentage and Status (Battery or USB Charger)
- Cellular Network MCC/MNC
- Cellular Network Name
- GPS Altitude and/or Speed
- Timestamps for departure/arrival to a location
Apps that contain tracking code according to the security report include 24 notable apps like GasBuddy, MyRadar NOAA, and PayByPhone Parking as well as a run tracking app C25K 5K Trainer. Each of the affected apps are available on the App Store and have received thousands of customer ratings that show their popularity.
GaurdianApp’s research points to 12 data monetization firms that collect user data including RevealMobile which has previously been accused of over collecting location data through popular weather apps. The report adds that nearly 100 regional news apps have previously used code from RevealMobile that shares information with the data monetization firm.
For Apple’s part, the App Store has policy that has been actively enforced to prevent apps from misleading users into granting location data access for the purpose of sharing it with third-parties.
Legal – 5.1.1 and Legal 5.1.2
The app transmits user location data to third parties without explicit consent from the user and for unapproved purposes.
For now, users can either avoid apps that may be using customer data for nefarious purposes or use Apple’s built-in tools for controlling which apps have access to location data. GuardianApp’s report offers these steps to potentially mitigate sharing user data with third-party firms:
- Go to Settings > Privacy > Advertising and turn on Limit Ad Tracking in order
- to make uniquely identification of your iOS device more difficult for location trackers.
- Use a very generic name for the SSID of your home Wi-Fi router (eg. “home-wifi-1”).
- Turn off Bluetooth functionality when it is not in use.
Apple did not respond to request for comment when asked about the new research report. GuardianApp’s security report can be read in full at GuardianApp.com.
Subscribe to 9to5Mac on YouTube for more Apple news: