AccuWeather Caught Sending User Location Data, Even When Location Sharing Is Off

Zack Whittaker, reporting for ZDNet:

Popular weather app AccuWeather has been caught sending geolocation data to a third-party data monetization firm, even when the user has switched off location sharing. […]

Security researcher Will Strafach intercepted the traffic from an iPhone running the latest version of AccuWeather and its servers and found that even when the app didn’t have permission to access the device’s precise location, the app would send the Wi-Fi router name and its unique MAC address to the servers of data monetization firm Reveal Mobile every few hours. That data can be correlated with public data to reveal an approximate location of a user’s device.

We independently verified the findings, and were able to geolocate an AccuWeather-running iPhone in our New York office within just a few meters, using nothing more than the Wi-Fi router’s MAC address and public data.

In other words, if you deny AccuWeather permission to use the Location Services APIs on you iPhone, they’ll go around your back and send your Wi-Fi router name and the router’s MAC address to these shitbirds at Reveal Mobile, and they maintain a database that maps Wi-Fi routers to locations.

To me this is a one strike and you’re out situation. Apple should remove this version of the AccuWeather app from the App Store, and any of you reading this who have it installed should delete it from your devices and never re-install it. How can you trust them? There are plenty of excellent weather apps in the App Store that would never blatantly abuse your privacy like this. Off the top of my head: Dark Sky, Weather Line, and Carrot, to name just three. Also, the built-in Weather app that comes with iOS is really good and has gotten a lot better in the last few years.

Tuesday, 22 August 2017