Security researcher Will Strafach has discovered that one of the most popular weather apps AccuWeather is sending its users’ private location data to a firm designed to monetize user locations, even when location sharing is off. Strafach intercepted the traffic from an iPhone running the latest version of AccuWeather and its servers, and found that the data was being sent to data monetization firm RevealMobile every few hours.
He revealed that the app sends your precise GPS coordinates, including current speed and altitude, the name and “BSSID” of the Wi-Fi router you are currently connected to, which can be used for geolocation through various online services, as well as whether your device has bluetooth turned on or off. All this data is sent to RevealMobile, a firm which claims to “Convert mobile location signals into high value audiences. You generate more mobile revenue, with or without ads”.
The “location data coming out of those apps” would your precise GPS coordinates (Access granted under a more reasonable guise of weather alerts), and Wi-Fi router name/BSSID. If you do not grant AccuWeather access to your GPS information, it will still send your Wi-Fi router name and BSSID, providing RevealMobile access to less precise location information regarding your device’s whereabouts. This practice by a different company appears to have previously caught the attention of the FTC.
Several people have tweeted at Strafach in recent days to say they have deleted the app, based on his findings. Meanwhile, RevealMobile has also published a statement noting that it follows “all app store guidelines, honoring all device level and app level opt-outs and permissions”.