The AccuWeather app for iOS may doing more than sending real-time weather updates and forecasts to users; it has also been transmitting their sensitive location information to a third-party data monetization firm without their consent.
Security research Will Strafach published a warning on Medium yesterday notifying iPhone users that the AccuWeather app appears to be sending information regarding their whereabouts to RevealMobile, a firm that sells location data to retailers and advertisers. He also found that this unsettling practice seems to occur even when users have specifically refused to grant the mobile weather app access to their location.
AccuWeather is a hugely popular app with millions of downloads and a near-perfect, four-and-a-half star rating on iTunes. The iOS app requests location access ostensibly for the purpose of providing better service, including alerts to severe weather in the area, critical updates, and faster app launch times. If users allow access, Strafach found that AccuWeather would send “precise GPS coordinates, including current speed and altitude”, the name and BSSID of the Wi-Fi router you’re connected to, and even information about whether or not you have Bluetooth activated to RevealMobile.
Even when the app is not granted permission to access location data, Strafach reported that it would still transmit the name of the Wi-Fi router a device is connected to as well as its BSSID to RevealMobile– bits of data that would still allow the data monetization firm to determine your device’s approximate whereabouts.
According to RevealMobile’s website, the company’s “technology sits inside hundreds of apps across the United States. It turns the location data coming out of those apps into meaningful audience data. We listen for [latitude/longitude] data and when a device “bumps” into a Bluetooth beacon.”
This data is valuable to retailers, RevealMobile argues, because tracking the daily routines of people as they travel from “home to work to retail to soccer practice to dinner” can help businesses “target consumers with a high propensity to visit”.
Strafach’s findings were independently corroborated by ZDNET, which also reached out to RevealMobile and AccuWeather for comment.
RevealMobile noted that the location data is grouped into audience segments in order to, for example, target advertising to customers at a Starbucks location. “Everything is anonymized,” said Brian Handley, RevealMobile CEO to ZDNET. “We’re not ever tracking an individual device.”
AccuWeather told ZDNET that the company hasn’t used RevealMobile’s technology yet. “In the future, AccuWeather plans to use data through Reveal Mobile for audience segmentation and analysis, to build a greater audience understanding and create more contextually relevant and helpful experiences for users and for advertisers,” said David Mitchell, AccuWeather’s executive vice president of emerging platforms.
In a later statement to Techcrunch, AccuWeather claimed that it was unaware that it had access to the Wi-Fi network information of users that had opted out of location tracking:
“Other data, such as Wi-Fi network information that is not user information, was for a short period available on the Reveal SDK, but was unused by AccuWeather. In fact, AccuWeather was unaware the data was available to it. Accordingly, at no point was the data used by AccuWeather for any purpose.”
The statement goes on to announce that “AccuWeather will be removing the Reveal SDK from its iOS app until …zero data is transmitted back to Reveal Mobile when someone opts out of location sharing.”
Even putting aside the problematic practice of sending the Wi-Fi information of users that have not allowed it, Strafach argues that users who opt-in to location tracking are not aware that their GPS information is being used for advertising. It appears that many people have heeded his warning and begun uninstalling the AccuWeather app.