Popular Weather App AccuWeather Caught Sending User Location Data, Even When Location Sharing is Off

Zack Whittaker, reporting for ZDNet: Popular weather app AccuWeather has been caught sending geolocation data to a third-party data monetization firm, even when the user has switched off location sharing. AccuWeather is one of the most popular weather apps in Apple's app store, with a near perfect four-star rating and millions of downloads to its name. But what the app doesn't say is that it sends sensitive data to a firm designed to monetize user locations without users' explicit permission. Security researcher Will Strafach intercepted the traffic from an iPhone running the latest version of AccuWeather and its servers and found that even when the app didn't have permission to access the device's precise location, the app would send the Wi-Fi router name and its unique MAC address to the servers of data monetization firm Reveal Mobile every few hours. That data can be correlated with public data to reveal an approximate location of a user's device. We independently verified the findings, and were able to geolocate an AccuWeather-running iPhone in our New York office within just a few meters, using nothing more than the Wi-Fi router's MAC address and public data.

Re:WiFi Router Name?

[c-A-d]

That is incorrect. Your MAC address is not contained in the IP Packet. MAC is a layer 2 addressing system while IP is layer 3. The only way for your MAC address to be shared via Layer 3 is if some application has accessed the OSI stack and pulled MAC information from that and then explicitly sent it to a server as part of a payload.