A day after a security researcher criticized AccuWeather for collecting people's location data – even if its users refused to grant permission to do – the weather forecasting company and its ad tech partner Reveal Mobile denied violating permission settings while also revising the app's info-grabbing code.
In a post on Monday, Will Strafach, CEO of the Sudo Security Group, said the AccuWeather iOS app sends users' Wi-Fi router names and BSSIDs to Reveal Mobile, even if users refuse to grant the app access to GPS location data.
The BSSID (basic service set identifier) is the MAC address of a wireless access point and is often enough to determine a user's location, though perhaps less accurately that device GPS coordinates. Companies such as Skyhook offer this service, as do various this public databases.
The Register asked AccuWeather to comment and a company spokesperson pointed to a statement published on Tuesday.
AccuWeather and Reveal Mobile, which makes the advertising SDK responsible for the app's behavior, issued a joint statement disavowing any attempt to infer location data for devices that have disabled location services.
"Despite stories to the contrary from sources not connected to the actual information, if a user opts out of location tracking on AccuWeather, no GPS coordinates are collected or passed without further opt-in permission from the user," the two companies said. "Other data, such as Wi-Fi network information that is not user information, was for a short period available on the Reveal SDK, but was unused by AccuWeather. In fact, AccuWeather was unaware the data was available to it. Accordingly, at no point was the data used by AccuWeather for any purpose."
Despite insisting it was unaware such data was available and thus went unexploited, AccuWeather said it would remove the Reveal Mobile SDK from its iOS app until it takes privacy seriously. A spokesperson for the weather biz told us a new version of the iOS app with the SDK removed is not out yet, though, as it is awaiting approval from Apple.
On Monday, version 10.5.2 of the iOS AccuWeather app was released, but that was unrelated to the privacy kerfuffle. On Tuesday, Reveal Mobile updated its SDK to "cease collection of all device data if location sharing [is] disabled by [the] end user."
Reveal in an update to the joint statement insisted, "We do not attempt to reverse engineer a device’s location based upon other data signals when location services are disabled." And the company said it complies with all app store guidelines and ad industry best practices.
Despite such assurances, the incident highlights the absence of transparency and accountability in current app design practices and lack of clear disclosure about the information gathered by apps, how that information gets distributed, and how all the companies involved in the data flow use the information.
Google's recent decision to remove more than 500 apps from Google Play offers a glimpse at the scope of the problem. Its mass app execution followed a report by Lookout, a mobile security firm, that found hundreds of apps were built with an SDK that was communicating with an IP address associated with malware.
App developers may have no idea what third-party libraries do. And they don't appear to be interested in finding out, until security researchers start poking around with network analysis tools. ®