A mobile app security researcher in the name of Will Strafach (@chronic on Twitter) have revealed that the AccuWeather app is unethically obtaining information about users with and without their consent, and worse, selling them out to a third-party.
Going by the revelations made by Strafach through a post on Medium, the AccuWeather app does this by deceitfully requesting location permission from users with the guise of providing weather data that are customized and location-based. However, what AccuWeather does is to collect this data, use them, and subsequently sell them to a third-party company known as RevealMobile.
Upon granting the AccuWeather iOS app access to your location information, Strafach says that AccuWeather will send the following set of information to the data monetization firm Reveal (revealmobile.com);
- Your precise GPS coordinates, including current speed and altitude.
- The name and “BSSID” of the Wi-Fi router you are currently connected to, which can be used for geolocation through various online services.
- Whether your device has bluetooth turned on or off.
To prove the authenticity of his claims, Strafach tested the AccuWeather app with an iPhone for a total period of 36 hours. During the test period, the AccuWeather app was not opened (not run in the foreground) and yet, the test device (an iPhone) sent the above information as stated to Reveal for a total of 16 times. An average of once in two hours.
RevealMobile is an information monetization website that trades location information of Internet users for revenue. The company boasts that it can determine where users live, shop, where they go from home, where they have soccer practice, where they travel to. Basically, Reveal knows everywhere you go…and the AccuWeather iOS app is the snitch.
Apparently, RevealMobile trades this information to Ad companies so as to foster accurate Ad targeting and reach the right audiences.
“The value lies in understanding the path of a consumer and where they go throughout the day,” Reveal says in a blog post on its website
Did not grant the AccuWeather app location access? That makes no difference either.
“If you do not grant AccuWeather access to your GPS information, it will still send your Wi-Fi router name and BSSID, providing RevealMobile access to less precise location information regarding your device’s whereabouts. This practice by a different company appears to have previously caught the attention of the FTC.”, Strafach notes.
AccuWeather have come out to debunk some of the claims made by Strafach. While it did not deny sending location information about users to RevealMobile, it however said that some information obtained about a user were not used by the company but may have been used by Reveal.
“Despite stories to the contrary from sources not connected to the actual information, if a user opts out of location tracking on AccuWeather, no GPS coordinates are collected or passed without further opt-in permission from the user.
Other data, such as Wi-Fi network information that is not user information, was for a short period available on the Reveal SDK, but was unused by AccuWeather.”
Strafach further went on to disclose in his findings that not only AccuWeather was guilty of this crime, other Apps like the Frank’s Forecast Weather App from KPRC 2 was also a culprit.
Now to the big question. Are there other apps out there that have the Reveal component in them? Or is it only the AccuWeather app?
To keep our fears down, Strafach have however promised to continue his research into apps and companies that have the Reveal location-based tracking code embedded in them.