A team of security researchers behind a popular mobile firewall app say they've identified tens of iOS apps that are collecting location data from iPhone users, data they later pass on to monetization firms.
In all cases, researchers say, the collection occurs via packaged tracking code monetization firms provide to developers to embed in their respective apps.
The good news, as researchers point out, is that the data collection does not take place covertly. Instead, all the apps ask users for permission to collect the data they do. Most of the apps researchers have looked at, appear to have a valid reason for requesting those permissions.
The problem, according to the Guardian app team, is that there is "little or no mention of the fact that location data will be shared with third-party entities for purposes unrelated to app operation."
Researchers say they've spotted dozens of iOS apps engaged in this pattern of gaining access to user data --primarily location data-- via tracking code provided by monetization firms.
In the vast majority of cases, the apps requested access to GPS coordinates, Bluetooth LE beacon data, and WiFi network SSID and BSSID identifiers. All this data can be used to track a user's location with high accuracy.
In addition, they've also seen many apps requesting access to other personally identifiable data, such as GPS altitude and speed info, battery charge status, cellular network data, accelerometer information, IDFA advertising identifiers, and more.
Guardian researchers published a report today containing the names of 12 monetization firms that received data, the names of 24 apps that contain code from location data monetization firms, and the names of 100 news apps containing monetization code from data monetization firm RevealMobile.
This latter monetization firm, RevealMobile, is the same company where the AccuWeather iOS app was caught sending user data last year, without user permission.
Will Strafach, one of the Sudo Security researchers behind the Guardian firewall app, also discovered in February 2017 that 76 iOS apps failed to implement TLS encryption properly and exposed their users to silent MitM (Man-in-the-Middle) data interception attacks.