AccuWeather is sneakily tracking your location data, even if you turn off the location access to the app. After getting called out by a security researcher, the company is going to knock it off...
Security researcher Will Strafach discovered that Accuweather’s iOS app partners with a service called Reveal Mobile, which uses an iPhone’s wi-fi connection to track its precise location—even if the user has specifically opted out of sharing their location with AccuWeather.
While Will Strafach did the research he discovered that the app tracks:
- Your precise GPS coordinates, including current speed and altitude.
- The name and “BSSID” of the Wi-Fi router you are currently connected to, which can be used for geolocation through various online services.
- Whether your device has Bluetooth turned on or off.
Strafach found that his test device was sending location data to Reveal Mobile every few hours during a 36-hour test period. Reveal Mobile’s website says it uses this location information to drive marketing campaigns to app users as they commute, eat out, or go shopping.
To track users' information without permission is really lame, a good privacy rule is: if the information you are collecting is not obvious to your users then you probably should not be collecting that information!
AccuWeather claimed in a recent report that they are working on the issue at hand and that they will update the app! You can read the update here:
Despite stories to the contrary from sources not connected to the actual information, if a user opts out of location tracking on AccuWeather, no GPS coordinates are collected or passed without further opt-in permission from the user.
Other data, such as Wi-Fi network information that is not user information, was for a short period available on the Reveal SDK, but was unused by AccuWeather. In fact, AccuWeather was unaware the data was available to it. Accordingly, at no point was the data used by AccuWeather for any purpose.
AccuWeather and Reveal Mobile are committed to following the standards and best practices of the industry. We also recognize this is a quickly evolving field and what is best practice one day may change the next. Accordingly, we work to update our practices regularly.
To avoid any further misinterpretation, while Reveal is updating its SDK, AccuWeather will be removing the Reveal SDK from its iOS app until it is fully compliant with appropriate requirements. Once reinstated, the end result should be that zero data is transmitted back to Reveal Mobile when someone opts out of location sharing. In the meanwhile, AccuWeather had already disabled the SDK, pending removal of the SDK and then later reinstatement.
Reveal has stated that the SDK could be misconstrued, and they assure that no reverse engineering of locations was ever conducted by any information they gathered, nor was that the intent.
AccuWeather will update its practices, communications and ULAs to be transparent and current with evolving standards. AccuWeather and Reveal continue to enhance methods for handling data and strive to provide superior, seamless, and secure user experiences.
We are grateful to have a supportive community that highlights areas where we can optimize and be more transparent.