Accuweather Ios App Misleads Users As It Sends Location Data Even When Denied Access

Update #2: AccuWeather has released a joint statement with Reveal Mobile. From the statement:

Other data, such as Wi-Fi network information that is not user information, was for a short period available on the Reveal SDK, but was unused by AccuWeather. In fact, AccuWeather was unaware the data was available to it. Accordingly, at no point was the data used by AccuWeather for any purpose.

AccuWeather on iOS may be violating Apple’s developer agreement as well as user trust, a new security audit reveals. Will Strafach, a security researcher, discovered that the iOS weather app is potentially sending out the identifiable user and device information to a third-party company even when location data sharing is denied.

Over the years, user data collection has become somewhat of an expected experience with free mobile applications. By collecting user data, and selling it, companies are able to keep themselves funded and offer free applications. The issue then comes down to when those applications don’t properly disclose how and what data is being collected.

In Strafach’s research, he discovered that AccuWeather is collecting data through a third-party company’s SDK. This SDK, provided by Reveal Mobile, is marketed as a way to “help app publishers and media companies extract the maximum value from their location data.” If a user were to download and allow AccuWeather to use their location data they would unknowingly also share the following to Reveal Mobile:

• Their device’s precise GPS coordinates
• The name of the Wi-Fi network they are connected to
• Whether or not their Bluetooth is enabled

Of course, much of this data collection is covered by AccuWeather’s Privacy Statement.

The policy technically covers a situation in which a user downloads the application, and accepts sharing location data. The user should then have an expectation that they may or may not be sharing personally identifiable information.

You may be asked for information which is not considered PII, such as a zip/postal code and/or country of origin.

The dichotomy in the situation that Strafach discovered is that if a user were to deny the iOS location sharing request, Reveal Mobile will still receive potentially identifiable information. Specifically, they would know the user’s Wi-Fi network SSID and could then track geolocation using Bluetooth beacons.

If a user denies sharing their location data with iOS’ location sharing request prompt, then the expectation is that no location data is being shared at all. As of AccuWeather’s latest 10.5.2 version, a user could deny sharing their location and yet still be sharing unknowingly.

By denying geolocation data, users should be made explicitly aware that their location data may still be tracked as covered under AccuWeather’s Privacy Statement.

Using this data collection, Reveal Mobile is able to map out user interactions to create what they call “high-value audiences.” The issue here is to what extent this user data is anonymous. As Strafach notes, “This practice by a different company appears to have previously caught the attention of the FTC.”

Image: AccuWeather