Uber
AccuWeather's iOS app has been relaying users' geolocation data over to Reveal Mobile without consent, a researcher discoverediStock

A security researcher has discovered AccuWeather's popular iOS app has been relaying users' geolocation information to a third-party monetisation firm, even when the user opted out of location sharing within the app. According to a Medium post published by security expert Will Strafach, the app requests location access in order to provide users with localised weather alerts, critical updates and quicker launch times.

Strafach says the app collects and sends three key bits of information over to an ad firm called Reveal Mobile: Your precise GPS coordinates, current speed and altitude; the name and "BSSID" of your Wi-Fi router and whether your bluetooth is turned on.

Even after turning off location data for AccuWeather, the researcher discovered that the app still relayed user data over to Reveal Mobile.

"During a testing period of 36 hours, specifically while the AccuWeather application was not in the foreground, my test iPhone (located on a desk in an office building) sent the above information to Reveal Mobile a total of 16 times, occuring roughly once every few hours," Strafach wrote in a Medium post on Tuesday (22 August).

"If you do not grant AccuWeather access to your GPS information, it will still send your Wi-Fi router name and BSSID, providing RevealMobile access to less precise location information regarding your device's whereabouts. This practice by a different company appears to have previously caught the attention of the FTC."

According to Reveal Mobile's website, the data firm "turns the location coming out of those apps into meaningful audience data".

"Our technology sits inside hundreds of apps across the United States...We listen for lat/long data and when a device 'bumps' into a Bluetooth beacon," a brochure on the firm's site reads.

Strafach noted that he was not able to confirm whether Reveal Mobile's technology does currently "sit inside hundreds of apps". However, he was able to identify more than 40 applications that did have the technology embedded in them "at one point".

In a blog post, Reveal Mobile said it has "been and continue to be transparent about this, what data we collect, why we collect it, and how our customers use the data".

"We frequently hear and understand the concern around tracking mobile location. We take our customers' and their users' privacy seriously," Reveal Mobile said. "The data we collect is always anonymized and grouped into audience segments, like coffee drinkers or frequent shoppers. We offer no product or service that permits anyone to see an individual device's location data.

"We follow all app store guidelines, honoring all device level and app level opt-outs and permissions. If someone chooses to disable location permissions to an app using our technology, we collect no location information from that device. We do not attempt to reverse engineer a device's location based upon other data signals like Bluetooth when location services are disabled."

In a joint statement on the issue, AccuWeather and Reveal Mobile said: "Despite stories to the contrary from sources not connected to the actual information, if a user opts out of location tracking on AccuWeather, no GPS coordinates are collected or passed without further opt-in permission from the user.

"Other data, such as Wi-Fi network information that is not user information, was for a short period available on the Reveal SDK, but was unused by AccuWeather. In fact, AccuWeather was unaware the data was available to it. Accordingly, at no point was the data used by AccuWeather for any purpose."

To avoid "any further misinterpretation", the companies said Reveal will be updating its SDK while AccuWeather will disable the Reveal SDK from its iOS app "until it is fully compliant with appropriate requirements".

"Once reinstated, the end result should be that zero data is transmitted back to Reveal Mobile when someone opts out of location sharing," the firms said. "Reveal has stated that the SDK could be misconstrued, and they assure that no reverse engineering of locations was ever conducted by any information they gathered, nor was that the intent."