AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content.
Popular iOS weather app AccuWeather, often listed as a top-ten app in the Weather section of the iOS App Store, has been collecting and forwarding user location information to data monetization company Reveal Mobile even when location sharing is disabled.
The potential breach of privacy was detailed by security researcher Will Strafach on Monday.
Strafach, who monitored data traffic on a test phone running AccuWeather in the background, discovered the app would send packets containing Wi-Fi router name and BSSID information to Reveal Mobile every few hours. That data can be crosschecked against publicly available router and MAC address location information to determine a user's whereabouts with relative precision.
Most troubling is that AccuWeather's Wi-Fi and MAC address data gathering operation continues when location services are disabled.
When the app is first installed, users can opt in to location tracking, which allows AccuWeather to push out severe weather alerts, critical updates and "make the app launch faster." According to Strafach, the app logs precise GPS coordinates, including current speed and altitude, router name and MAC address information, and device Bluetooth status when background location services are activated.
For Reveal Mobile, Bluetooth is an important piece of its core technology. As detailed in documentation on its website (PDF link), the company helps advertisers serve relevant content to consumers by harvesting location data from partner apps.
Reveal Mobile "turns the location data coming out of those apps into meaningful audience data. We listen for lat/long data and when a device 'bumps' into a Bluetooth beacon," the company says.
Users can decline app calls to activate location services, presented at first launch and again when searching for weather in a specific area, to limit the scope of data sent to offsite servers. However, as explained by Strafach, the continued transmission of Wi-Fi router information is problematic.
In a statement to ZDNet, Reveal Mobile said it does not use Wi-Fi and BSSID information for location determination.
"Everything is anonymized," said Brian Handley, CEO of Reveal Mobile. "We're not ever tracking an individual device." He went on to illustrate a situation in which Reveal can use the information to deliver advertisements to customers inside a Starbucks location.
In response to Strafach's revelations, Reveal Mobile issued a public statement clarifying its location tracking technology. The firm maintains that it follows all App Store guidelines and honors device level and app level opt-outs and permissions. In particular, the company says it does not reverse engineer device location based on "other data signals" when a user opts out of location services.
In light of the recent findings, however, Reveal Mobile is releasing a new iOS SDK that "no longer send[s] any data points which could be used to infer location when someone opts out of location sharing."
For its part, AccuWeather vice president of emerging platforms David Mitchell said the company plans to "use data through Reveal Mobile for audience segmentation and analysis, to build a greater audience understanding and create more contextually relevant and helpful experiences for users and for advertisers."
Following Strafach's blog post, a number of AccuWeather users abandoned the app over privacy concerns. As of this writing, the weather app stands in the No. 6 spot in the Weather section of the App Store.
Update: In a statement to AppleInsider, AccuWeather confirms Wi-Fi network information was available for "a short period" on the Reveal SDK, but went unused by the app. Whether that same data was used by Reveal Mobile was left unmentioned.
The statement in full:
Despite stories to the contrary from sources not connected to the actual information, if a user opts out of location tracking on AccuWeather, no GPS coordinates are collected or passed without further opt-in permission from the user.
Other data, such as Wi-Fi network information that is not user information, was for a short period available on the Reveal SDK, but was unused by AccuWeather. In fact, AccuWeather was unaware the data was available to it. Accordingly, at no point was the data used by AccuWeather for any purpose.
AccuWeather and Reveal Mobile are committed to following the standards and best practices of the industry. We also recognize this is a quickly evolving field and what is best practice one day may change the next. Accordingly, we work to update our practices regularly.
To avoid any further misinterpretation, Reveal is updating its SDK and pushing out new versions of the SDK in the next 24 hours, with the iOS update going live tonight. The end result should be that zero data is transmitted back to Reveal Mobile when someone opts out of location sharing. In the meanwhile, AccuWeather had already disabled the SDK, pending that update.
Reveal has stated that the SDK could be misconstrued, and they assure that no reverse engineering of locations was ever conducted by any information they gathered, nor was that the intent.
AccuWeather will work with Reveal to restore the SDK when it has been amended and will continue to update its ULAs to be transparent and current with evolving standards. AccuWeather and Reveal continue to enhance methods for handling data and strive to provide superior, seamless, and secure user experiences.
We are grateful to have a supportive community that highlights areas where we can optimize and be more transparent.