Tens of iOS apps caught collecting and selling location data

Apps collect data such as GPS coordinates, WiFi network IDs and more, and pass all of it to advertising and monetization firms.
Written by Catalin Cimpanu, Contributor

A team of security researchers behind a popular mobile firewall app say they've identified tens of iOS apps that are collecting location data from iPhone users, data they later pass on to monetization firms.

In all cases, researchers say, the collection occurs via packaged tracking code monetization firms provide to developers to embed in their respective apps.

The good news, as researchers point out, is that the data collection does not take place covertly. Instead, all the apps ask users for permission to collect the data they do. Most of the apps researchers have looked at, appear to have a valid reason for requesting those permissions.

The problem, according to the Guardian app team, is that there is "little or no mention of the fact that location data will be shared with third-party entities for purposes unrelated to app operation."

Also: Google fixes Chrome issue that allowed theft of WiFi logins

Researchers say they've spotted dozens of iOS apps engaged in this pattern of gaining access to user data --primarily location data-- via tracking code provided by monetization firms.

In the vast majority of cases, the apps requested access to GPS coordinates, Bluetooth LE beacon data, and WiFi network SSID and BSSID identifiers. All this data can be used to track a user's location with high accuracy.

In addition, they've also seen many apps requesting access to other personally identifiable data, such as GPS altitude and speed info, battery charge status, cellular network data, accelerometer information, IDFA advertising identifiers, and more.

Guardian researchers published a report today containing the names of 12 monetization firms that received data, the names of 24 apps that contain code from location data monetization firms, and the names of 100 news apps containing monetization code from data monetization firm RevealMobile.

This latter monetization firm, RevealMobile, is the same company where the AccuWeather iOS app was caught sending user data last year, without user permission.

Also: Thousands of 3D printers may be leaking private product designs online

This type of shady data-selling behavior is exactly what Apple is currently trying to prevent. Earlier this month, Apple informed app devs that all apps that would not add a detailed privacy policy describing how they handle user data would be removed from the Apple App Store after October 3.

Will Strafach, one of the Sudo Security researchers behind the Guardian firewall app, also discovered in February 2017 that 76 iOS apps failed to implement TLS encryption properly and exposed their users to silent MitM (Man-in-the-Middle) data interception attacks.

Editorial standards