August 23, 2017
Popular weather App Accuweather is in a big mess. The iOS app has been caught sending user location data to a third party location monetizing firm, even when the location sharing was turned off. Accuweather is one of the top rated and popular apps in the Appstore with a four star rating and millions of downloads under its name.
The find was made by Security researcher Will Strafach who intercepted the traffic from an iPhone running the latest version of AccuWeather and its servers and found that even thought the app didn’t have the permission to share location, it would send the Wi-Fi router name and its unique MAC address to the servers of data monetization firm Reveal Mobile every few hours.
“During a testing period of 36 hours, specifically while the AccuWeather application was not in the foreground, my test iPhone (located on a desk in an office building) sent information about GPS coordinates, including current speed and altitude, the name and “BSSID” of the Wi-Fi router and whether the Bluetooth is turned on or off to RevealMobile a total of 16 times, occuring roughly once every few hours,” said Will Strafach.
For their part, RecealMobile executives claim that though company does collect Wi-Fi data and MAC address information, it "does not use it" for location data. The company helps provide data for advertisers by turning the location data coming out of those apps into meaningful audience data.
“I have not yet been able to confirm RevealMobile’s technology “sits inside hundreds of apps” at this time. I was able to identify over 40 applications which had RevealMobile’s techonlogy embedded in them at one point, but after running the latest versions of each through an intercepting proxy in order to analyze all data sent out, I was only able to observe similar callbacks to “revealmobile.com” in one of them: Frank’s Forecast Weather App from KPRC 2,” added Strafach.