Wednesday, 23 August 2017

If You Don’t Want AccuWeather Sharing Your Location Even When You’re Not Using It, Update Your App Now

We’ve all been there: You download a new app to your phone or tablet and are asked to share your location data — even when you’re not using the service. In most cases, you can say no and go about your day knowing that the app isn’t following your every move. But that’s apparently not the case with AccuWeather, as security researchers say the app is accessing users’ location data even when they turn off location services.

Security Analyst Will Strafach on Tuesday sounded the alarm bells claiming that AccuWeather’s iOS app sends users’ personal location information to a data monetization firm, despite leading customers to believe that wouldn’t happen.

According to Strafach, AccuWeather sends a different, less accurate set of information to Reveal Mobile, a company that converts mobile location information into data that can be used by advertisers to better target their audience.

Granting Access

When a user downloads and opens the AccuWeather app they are asked if they will allow the service to access their location even when they are not using the app.

This, AccuWeather notes in a popup window, allows the service to alert users to “severe weather in your area, provide critical updates, make the app launch faster, and more!”

Strafach claims that “more” includes sending information to Reveal Mobile every few hours. Over a period of 36 hours, the researcher says the app sent his GPS location, the name of his WiFi router, and whether or not his device has Bluetooth turned on or off to Reveal Mobile 16 times.

Access Denied

While you might think that denying access to your location data would prevent an app from gathering information on your whereabouts, that’s not the case, Strafach claims. Users who don’t give AccuWeather permission to use their location data still have some of their information passed on to Reveal Mobile.

Strafach found that these users’ WiFi router names and their unique MAC addresses were sent to Reveal Mobile. While this data isn’t as precise as true location data, it can still be correlated with public data to reveal an approximate location of a user’s device.

What’s The Problem?

Although many consumers share their location data with apps and services frequently, Strafach notes that the way in which AccuWeather presents this sharing is concerning.

He tells ZDNet that while AccuWeather gets “GPS access under an entirely innocent premise” — that it will provide alerts to weather changes and better track weather near users — users likely have no expectation that this data would also be used to target advertisements.

“This seems especially problematic as their website plainly states that use of WiFi information is for geolocation, and that seems a bit over the line for situations where the user pretty clearly does not wish to share their location,” he said.

In a joint statement released Tuesday, AccuWeather and Reveal Mobile addressed the concerns related to the iOS app.

“Despite stories to the contrary from sources not connected to the actual information, if a user opts out of location tracking on AccuWeather, no GPS coordinates are collected or passed without further opt-in permission from the user,” the companies said.

AccuWeather adds that data such as WiFi network information was for a short period available to Reveal, but was unused by AccuWeather.

For its part Reveal notes that no reverse engineering of locations was ever conducted by any information they gathered, nor was that the intent.

“AccuWeather and Reveal Mobile are committed to following the standards and best practices of the industry,” the companies said. “We also recognize this is a quickly evolving field and what is best practice one day may change the next. Accordingly, we work to update our practices regularly.”

To that end, AccuWeather said it would remove the Reveal data sharing form its iOS app until Reveal updates the system.

Once the system is reinstated, AccuWeather says that “zero data is transmitted back to Reveal Mobile when someone opts out of location sharing.”

A look at the AccuWeather app in the Apple store shows that the service was updated for “performance improvements” Tuesday.


by Ashlee Kieler via Consumerist

No comments:

Post a Comment