One of the most popular weather apps on the Apple App Store with millions of downloads, AccuWeather, has been found to be accessing user’s location data without the user’s explicit permission and is sending it to a third-party data monetization firm.
As pointed out by Security Researcher Will Strafach, AccuWeather requests the user to allow the application to access the device’s location even when the app isn’t being used in order to get updates quicker and reduce app launch time.
But if a user grants this location permission, Strafach found out that the application starts to send some bits and pieces of information to ‘revealmobile(.com)’.
This information includes GPS coordinates, current speed, and altitude; name and BSSID of the WiFi router currently connected to the device and whether the device has Bluetooth turned on or off.
Strafach intercepted the data of his iPhone and found out that during a period of 36 hours, the AccuWeather app — running in the background — sent the aforementioned information to RevealMobile every few hours, accounting for a total of 16 times the data was transmitted.
According to RevealMobile’s website, they “convert mobile location signals into high-value audiences”. This helps the companies associated with RevealMobile to generate more revenue with or without ads.
“Location data also informs the home and work location of customers. Pairing this information with existing demographic targeting criteria allows retailers to target consumers with a high propensity to visit based upon two of their most relevant locations,” RevealMobile’s website reads.
This means that the AccuWeather app was actively transmitting your location data to the website, which in turn was monetizing the data by providing it to interested parties like retailers and advertisers.
“We listen for lat/long data and when a device ‘bumps’ into a Bluetooth beacon,” the website adds.
Also, AccuWeather isn’t a standalone case. RevealMobile’s website also claims to be running their service on hundreds of mobile applications across United States.
One other weather app which exhibited similar patterns of data transmissions to RevealMobile is: Frank’s Forecast Weather App from KPRC 2.
AccuWeather app or RevealMobile might not have malicious intentions but the way they are procuring user information — without their explicit consent and knowledge — seems to be incorrect.
According to a ZDNet report, both AccuWeather and RevealMobile will be updating their apps and services following this revelation.
Update: “If a user opts out of location tracking on AccuWeather, no GPS coordinates are collected or passed without further opt-in permission from the user,” AccuWeather and RevealMobile told Guiding Tech.
In the joint statement to Guiding Tech, the companies revealed that Wi-Fi network information “that is not user information” was available on the Reveal SDK for a short period but AccuWeather was unaware of any such data and at no point used that data for any purpose.
“We recognize this is a quickly evolving field and what is the best practice one day may change the next. To avoid any further misinterpretation, Reveal is updating its SDK and pushing out new versions of the SDK in the next 24 hours, with the iOS update going live tonight.”
Following the update, no data will be will be transmitted to RevealMobile once a user opts out of location sharing. AccuWeather claims to have disabled the SDK until it is updated.
“SDK could be misconstrued, and they assure that no reverse engineering of locations was ever conducted by any information they gathered, nor was that the intent,” Reveal stated.
The SDK will be updated after it has been updated and the companies will also edit their End User License Agreement to increase transparency for users.
Update 2 (August 24): AccuWeather has updated its app for iOS and has completely removed RevealMobile.
“AccuWeather’s app employed a Software Development Kit (SDK) from a third party vendor (Reveal Mobile) that inadvertently allowed Wi-Fi router data to be transmitted to this third-party vendor. At no time was this data accessed or used by AccuWeather and we have received assurances from the vendor that the same is true for them,” AccuWeather told Guiding Tech.