A security researcher has found that the popular weather app sends private location data without the user's explicit permission to a firm designed to monetize user locations.
Popular weather app AccuWeather has been caught sending geolocation data to a third-party data monetization firm, even when the user has switched off location sharing.
AccuWeather is one of the most popular weather apps in Apple's app store, with a near perfect four-star rating and millions of downloads to its name. But what the app doesn't say is that it sends sensitive data to a firm designed to monetize user locations without users' explicit permission.
Security researcher Will Strafach intercepted the traffic from an iPhone running the latest version of AccuWeather and its servers and found that even when the app didn't have permission to access the device's precise location, the app would send the Wi-Fi router name and its unique MAC address to the servers of data monetization firm Reveal Mobile every few hours. That data can be correlated with public data to reveal an approximate location of a user's device.
We independently verified the findings, and were able to geolocate an AccuWeather-running iPhone in our New York office within just a few meters, using nothing more than the Wi-Fi router's MAC address and public data.
(Image mashup: ZDNet; Mylnikov GEO)
When the location is enabled, it sends the down-to-the-meter precise coordinates of the user, including speed and altitude, back to the data firm.
That's where Reveal Mobile comes in. The data firm isn't an advertiser per se but helps provide data for advertisers. Reveal says it "turns the location data coming out of those apps into meaningful audience data," and "we listen for [latitude and longitude] data and when a device "bumps" into a Bluetooth beacon," according to a brochure on its website.
For its part, Reveal Mobile executives said on a call last week with ZDNet that though company does collect Wi-Fi data and MAC address information, it "does not use it" for location data.
"Everything is anonymized," said Brian Handley, the company's chief executive. "We're not ever tracking an individual device," but described a situation where his company can point advertising to customers inside a Starbucks location, for example.
According to one AccuWeather executive, Reveal Mobile's technology "has not been in our application long enough to be usable yet."
"In the future, AccuWeather plans to use data through Reveal Mobile for audience segmentation and analysis, to build a greater audience understanding and create more contextually relevant and helpful experiences for users and for advertisers," said David Mitchell, AccuWeather's executive vice president of emerging platforms, on the call.
"Essentially I see a few problems," he said. "AccuWeather get GPS access under an entirely innocent premise -- no users expect the location data to be used this way," he said.
Several people have tweeted at Strafach in recent days to say they have deleted the app, based on his findings.
"When GPS access is not allowed, the app sends the [Wi-Fi network name] and possibly uses their Bluetooth beacon technology. This seems especially problematic as their website plainly states that use of Wi-Fi information is for geolocation, and that seems a bit over the line for situations where the user pretty clearly does not wish to share their location," he said.
In a blog post detailing his findings, Strafach said that similar opt-out geolocation tracking behaviors have in the past caught the eye of the enforcement arm of the Federal Trade Commission.
A 2016 case saw the FTC bring action against one offending app after it "deceived consumers by presenting them with an option to not share their information, even though it was shared automatically rendering the option meaningless."
A spokesperson for AccuWeather denied that the cases were similar. "Our legal team does not believe those cases are on point relative to our practices," said the spokesperson.
"This is a quickly evolving legal field and what is best practice one day may change the next; and... we take privacy issues very seriously," the spokesperson said. "We work to have our [terms of service and agreements] as current as the law is evolving and often beyond that which may be legally required to protect the privacy of our users."
Reveal Mobile has since published a statement noting that it follows "all app store guidelines, honoring all device level and app level opt-outs and permissions."
AccuWeather later in the day said in a follow-up joint statement with Reveal Mobile that the companies will update their apps and services following ZDNet's report.
"Reveal is updating its SDK and pushing out new versions of the [software kit] in the next 24 hours, with the iOS update going live [Tuesday]," said an AccuWeather spokesperson. "The end result should be that zero data is transmitted back to Reveal Mobile when someone opts out of location sharing."
"In the meanwhile, AccuWeather had already disabled the [software kit], pending that update," the spokesperson confirmed.