This post has been updated.
Last week, Will Strafach noticed the AccuWeather mobile app was doing something strange and unrelated to weather. It was sending his location information to another company — not associated with AccuWeather — even though he never gave permission for that to happen.
“I tend to look at the binary code and network traffic of mobile apps very often due to the nature of my current work,” Strafach, a tech security researcher, told The Washington Post. He runs a mobile security start-up called Verify.ly, which offers security support to app developers, among other things.
Strafach found two major problems with the way the AccuWeather app was handling user data. First, even though he disabled location services, the app was still collecting information from which location could be determined and sending it to a third party, called Reveal Mobile. Second, he noticed that even if he turned on location services for the AccuWeather app, the app didn’t tell the user it would send that information to Reveal Mobile.
With respect to the first problem, AccuWeather and Reveal Mobile released a joint statement Tuesday saying the app will no longer collect and share your location data — or any data from which location could be determined — without the user’s permission. AccuWeather said it didn’t know the app was tracking location information without users’ consent. It says the company didn’t use the data in any way. Separately, Reveal Mobile announced Tuesday night that it changed its software so that it “will no longer send any data points which could be used to infer location when someone opts out of location sharing.”
Strafach says AccuWeather’s “we didn’t know” explanation leads him to not trust the company.
“As they serve millions of users, it would be reasonable to think they would look at what the code is doing, what network connections are made, if everything was in compliance with local laws,” Strafach says. “I don’t understand why AccuWeather, according to what they imply, may not have vetted their own app’s code before allowing it to be put on so many devices.”
Before the app’s update, even if you denied the AccuWeather app permission to track your location, it would still send valuable location information to Reveal Mobile. Assuming you haven’t downloaded the updated version of the app, here’s what happens…
…if you do allow AccuWeather to use location services: Whether the app is open or closed, it tracks your precise latitude, longitude, altitude and speed in addition to the WiFi router name and BSSID. It also sends this information to RevealMobile.
…if you do not allow AccuWeather to use location services: The app still tracks your general location based on WiFi. It knows the WiFi router name your phone is connected to and the router’s unique BSSID, which can be converted to a location. You can see how that’s possible in this example from ZDNet, which independently verified Strafach’s findings and were able to geolocate a phone using AccuWeather’s app to within a few meters “using nothing more than the WiFi router’s MAC address and public data.”
Another mobile advertising company, InMobi, got in trouble for the same thing in 2016 and settled a lawsuit with the Federal Trade Commission. Central to that case was the same kind of data — WiFi network and BSSID. In a subsequent blog post, the FTC describes how InMobi was “sidestepping” regulations that protect consumers:
..InMobi collected information through consumers’ devices that allowed it to map out the real-world latitude and longitude coordinates of WiFi networks. InMobi then monitored the WiFi networks that a consumer’s device connected to (on both Android and iOS), and in many instances, the WiFi networks that a consumer’s device was in-range of (on Android). By collecting the BSSID (i.e., a unique identifier) of the WiFi networks that a consumer’s device connected to or was in-range of, and feeding this information into its geocoder database, InMobi could then infer the consumer’s location.
In describing what it does, Reveal Mobile doesn’t beat around the bush. “Our technology sits inside hundreds of apps across the United States,” a Reveal Mobile case study says. “It turns the location data coming out of those apps into meaningful audience data. We listen for lat/long data and when a device ‘bumps’ into a Bluetooth beacon.”
“Location data also informs the home and work location of customers,” Reveal Mobile explains. “Pairing this information with existing demographic targeting criteria allows retailers to target consumers with a high propensity to visit based upon two of their most relevant locations.”
Despite the changes AccuWeather and Reveal Mobile announced, Strafach says there’s still a fundamental problem with the way AccuWeather is handling your data.
“There is no actual ‘opt out,'” when it comes to sharing your data with third parties, Strafach says.
Looking into the app’s privacy statement, it does say that it will share your location with third parties, although it doesn’t mention Reveal Mobile.
The Post asked AccuWeather whether it plans to change the app’s privacy options — specifically if they planned on telling users in the location services prompt that they would also be sending location data to third parties. In response, AccuWeather said it “continues to update its practices, communications and ULAs [user license agreements] to be transparent and current with evolving standards.”
“Users have no insight into what doing, so ‘lazy’ and ‘malicious’ are indistinguishable,” Strafach told The Post. “I personally think it is a bit negligent to release something without knowing exactly what it does or how it could affect users.”