Slashdot Mirror

← Back to Stories (view on slashdot.org)

Popular Weather App AccuWeather Caught Sending User Location Data, Even When Location Sharing is Off (zdnet.com)

Posted by msmash on from the beware dept.

Zack Whittaker, reporting for ZDNet: Popular weather app AccuWeather has been caught sending geolocation data to a third-party data monetization firm, even when the user has switched off location sharing. AccuWeather is one of the most popular weather apps in Apple's app store, with a near perfect four-star rating and millions of downloads to its name. But what the app doesn't say is that it sends sensitive data to a firm designed to monetize user locations without users' explicit permission. Security researcher Will Strafach intercepted the traffic from an iPhone running the latest version of AccuWeather and its servers and found that even when the app didn't have permission to access the device's precise location, the app would send the Wi-Fi router name and its unique MAC address to the servers of data monetization firm Reveal Mobile every few hours. That data can be correlated with public data to reveal an approximate location of a user's device. We independently verified the findings, and were able to geolocate an AccuWeather-running iPhone in our New York office within just a few meters, using nothing more than the Wi-Fi router's MAC address and public data.

67 of 124 comments (clear)

  1. WiFi Router Name? by JamesKeane7745 · · Score: 1

    Sorry if i've mis understood something, but I thought the 'WiFi Router name' (I assume meaning SSID, if it was the BSSID it would be even worse!) was only available through APIs when loc services are enabled? Have I missed something, or is it a bug in the Location Services API?

    1. Re:WiFi Router Name? by iotaborg · · Score: 1

      MAC address (unique to every network interface), not SSID. MAC address is contained in the IP packet, and is not private information. If you/your router has communicated with any server, that server can record its MAC address, and assign it with a geographic location your phone has already transmitted prior, or use an estimate location (i.e. whatismyipaddress.com).

    2. Re:WiFi Router Name? by EvilSS · · Score: 2

      Apps can access the router name and MAC to know when you connect to a device to do a first time setup. A lot of IOT (*insert IOT rants here*) setup a temp hotspot that you connect to then use the app to configure it. It then shuts down the ad-hoc and connects to your local WiFi that you configure.

      This obviously needs to be locked behind a permission prompt like location is. *sigh* This is why we can't have nice things....

      --
      I browse on +1 so AC's need not respond, I won't see it.
    3. Re:WiFi Router Name? by c-A-d · · Score: 4, Informative

      That is incorrect. Your MAC address is not contained in the IP Packet. MAC is a layer 2 addressing system while IP is layer 3. The only way for your MAC address to be shared via Layer 3 is if some application has accessed the OSI stack and pulled MAC information from that and then explicitly sent it to a server as part of a payload.

      --
      some karma... and kinda lukewarm about it.
    4. Re:WiFi Router Name? by Anonymous Coward · · Score: 1

      The MAC address is absolutely NOT contained in a Layer 3 IP packet. It is contained in the Layer 2 Ethernet Frame, which is NOT routed. The MAC address is only visible to on-device API's and the Layer 2 peer you are connected to. (upstream router, switch, etc.) Carry on.

    5. Re:WiFi Router Name? by Nethead · · Score: 2

      Just to be a jerk I'll mention the IPv6 EUI-64 format address. That is layer 3, or as layer 3 as IP gets.

      --
      -- I have a private email server in my basement.
    6. Re:WiFi Router Name? by Agripa · · Score: 1

      Which is why the privacy extensions were added to IP6 where the MAC address may be replaced with a random address.

    7. Re:WiFi Router Name? by EvilSS · · Score: 1

      But if the access point MAC is not protected by a permission, there is no breach. The app only sends data that Android doesn't protect in any way, so it's public data. That location can be inferred from other things than GPS is not a surprise.

      Did you reply to the wrong comment? I never used the word breach, nor did I imply it. Also on Android (not sure what versions) it IS protected by a permission (or at least the SSID is, not positive on the MAC). It's iOS that doesn't protect it (which is surprising since usually it's the other way around in cases like this). However just because it's not protected doesn't mean that using it in this way does not violate the Apple developer agreement. There are plenty of things an app can do that are against it but not outright blocked by the OS. The OS is not there to interpret the agreement, the Apple app team is who is supposed to do that.

      Either way I think that it SHOULD be protected on both platforms, since apparently it does pose a privacy issue.

      --
      I browse on +1 so AC's need not respond, I won't see it.
  2. Deleted by CycleFreak · · Score: 2

    Damnit! I really like the AccuWeather app.

    Now it's uninstalled.

    Is it really so hard to make money with an app that user data has to be stolen to make a profit?

    1. Re:Deleted by ctilsie242 · · Score: 2

      No VC will touch a business unless it sucks data, slings ads, or both.

    2. Re:Deleted by JohnFen · · Score: 1

      Which is part of why VCs are actively harmful to society at large.

    3. Re:Deleted by rogoshen1 · · Score: 1

      Don't worry, most of them will be wiped out in the next 5 years.

      They knew this, even in Hollywood back in 1987:

      (in regards to a company being labeled a sure thing)

      "No such thing except death and taxes. No fundamentals, not a good company any more. What's going on, Bud? You know something? Remember there are no shortcuts, son. Quick buck artists come and go with every bull market, but the steady players make it through the bear market. You're a part of something here, Bud. The money you make for people creates science and research jobs. Don't sell that out."

    4. Re:Deleted by JohnFen · · Score: 1

      That makes zero sense.

    5. Re:Deleted by Rick+Schumann · · Score: 1

      They are richer than you, so they must have abandoned even the pretense of morals or conscience and just did whatever their selfish little black hearts desired.

      Fixed that for you, AC.

    6. Re:Deleted by Aighearach · · Score: 1

      If it turns out that it isn't possible, there are also open source apps, and weather is always going to be available over public APIs.

  3. Selling your data is too valuable by Anonymous Coward · · Score: 1

    To get people's consent.

  4. That free app going to cost AccWeather a fortune by JoeyRox · · Score: 4, Funny

    In lawsuits, and deservedly so.

  5. Re:Only apps can app apps! by DontBeAMoran · · Score: 1

    Ah, there you are. Where did you go? On a fucking vacation? We need to see your pointless crap at the start of each thread otherwise it doesn't feel like Slashdot anymore.

    Anyway, welcome back.

    --
    #DeleteFacebook
  6. Re:Why is this surprising? by DontBeAMoran · · Score: 2, Insightful

    Display ads, don't steal user data.

    --
    #DeleteFacebook
  7. Re:That free app going to cost AccWeather a fortun by JoeyRox · · Score: 1

    I don't have to prove I was damaged. The FTC will do it for me.

    https://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy/enforcing-privacy-promises

  8. Re:Why is this surprising? by ctilsie242 · · Score: 1

    The copy of Accuweather I use is paid... Definitely not a freebie. In any case, the app is history for now.

  9. OT got the wierdest cell phone cold call yesterday by GodfatherofSoul · · Score: 2, Interesting

    So, went on an eclipse mini-vacation and I guess drove near the vicinity of a some trigger point. The caller was asking for another name, but still proceeded to sell me a pitch for a vacation spot I had "driven past." Now, was it my credit card company, the cell phone company, or the data-only account on my tablet who was responsible for leaking my location in real time to a vendor?

    --
    I swear to God...I swear to God! That is NOT how you treat your human!
  10. No shock by bloodstar · · Score: 4, Interesting

    After all accuweather had previously tried to convince Congress to gut the NWS so they could make money: http://www.politico.com/story/... So the idea that Accuweather would do something shady isn't without precedent.

    --
    "The bass, the rock, the mic, the treble. I like my coffee black, just like my metal" - Mindless Self Indulgence
  11. Re:Why is this surprising? by Anonymous Coward · · Score: 1

    The copy of Accuweather I use is paid... Definitely not a freebie. In any case, the app is history for now.

    You should also ask Apple to refund your app purchase price.

    Only sound they'll respect is money flowing out of their account

  12. Change your router name to by bobstreo · · Score: 4, Funny

    DROP TABLE location;

    1. Re:Change your router name to by srmalloy · · Score: 1

      Because we may all be needing our own Bobby Tables soon...

      Although

      HOME)`; DROP DATABASE msdb; --

      might be more fun to watch.

  13. Better battery life by Andrew+Lindh · · Score: 1

    I got much better battery life after I removed the AccuWeather app from my phone (months ago). I thought it was doing something other than downloading ads all day.

    1. Re:Better battery life by 93+Escort+Wagon · · Score: 1

      You can block specific apps (or all apps) from running in the background on iOS...

      --
      #DeleteChrome
    2. Re:Better battery life by Gr8Apes · · Score: 1

      Yep, and at this point, I don't believe I allow any to run in background mode. There's nothing so significant that I need to track other than via the iOS supported notifications.

      --
      The cesspool just got a check and balance.
  14. Re:OT got the wierdest cell phone cold call yester by Anonymous Coward · · Score: 1

    Possibly all three with an AI mediated auction to see which one was allowed to sell you out first. Welcome to the future; it was yesterday.

  15. Re:OT got the wierdest cell phone cold call yester by DogDude · · Score: 1

    All of those industries do those things (legally). It was probably a combination of all three.

    --
    I don't respond to AC's.
  16. Re:Why is this surprising? by 93+Escort+Wagon · · Score: 1

    The Weather Channel app displays ads; and, while the app could stand a bit of UI tweaking in my opinion, their forecasts are supposedly top-notch (according to Professor Cliff Mass).

    --
    #DeleteChrome
  17. They can't even see their own lie by JohnFen · · Score: 3, Insightful

    we take privacy issues very seriously," the spokesperson said. "We work to have our [terms of service and agreements] as current as the law is evolving and often beyond that which may be legally required to protect the privacy of our users."

    If you're only doing what's "legally required", then you aren't, in fact, taking privacy issues "very seriously".

    1. Re:They can't even see their own lie by JohnFen · · Score: 1

      What is legally required is inadequate. That's why I say that if all you are doing is meeting the legal requirements, you aren't taking the issue seriously.

    2. Re:They can't even see their own lie by retchdog · · Score: 1

      "and often beyond that which may be legally required"

      lol, dumbfuck. lrn2read.

      (yes, they're probably lying about that too, but your "analysis" is just sad. +4, Insightful? what is this, a cable news channel?)

      --
      "They were pure niggers." – Noam Chomsky
  18. Re:Why is this surprising? by JohnFen · · Score: 1

    That's fine -- but in this case, the app is intentionally circumventing the user's express wishes and giving the impression that the user's wishes are being honored.

    That's deceptive. An honest app would just refuse to run until you gave it the permissions that it demands. It wouldn't engage in hacks like this.

  19. Re:Why is this surprising? by EvilSS · · Score: 1

    Display ads, don't steal user data.

    ...and offer me an option to buy an ad-free version. If your product is worth it, I will gladly pay a reasonable amount to get rid of the ads.

    --
    I browse on +1 so AC's need not respond, I won't see it.
  20. Could this violate stalking laws? by schwit1 · · Score: 1

    Google should ban the app for this deception.

    1. Re:Could this violate stalking laws? by schleimkeim · · Score: 1

      Google should ban itself.

  21. Re:Only apps can app apps! by JohnFen · · Score: 1

    In terms of security, I don't think there's much difference between using the browser and using the app.

  22. if that is a 4 star, then things are bad by WindBourne · · Score: 1

    Seriously, accuweather is about the WORST forecast going.
    Only idiots or some robot would mod them up to a 4 star.

    --
    I prefer the "u" in honour as it seems to be missing these days.
    1. Re:if that is a 4 star, then things are bad by David_Hart · · Score: 1

      Seriously, accuweather is about the WORST forecast going.
        Only idiots or some robot would mod them up to a 4 star.

      I use Weather Pro. Granted it's an app that you have to buy, but it's been very accurate for me. I was on vacation in north eastern Canada and the weather that it predicted for at least the next 48 hours was the weather that we got. The northeast is notorious for it's unpredictable weather.

  23. Re:Why is this surprising? by JohnFen · · Score: 1

    I don't mind ads as long as they're well-behaved. My problem is the tracking that comes with them. There are an awful lot of apps (and websites) that allow you to pay money to disable ads, but the tracking continues to take place anyway.

  24. Re:OT got the wierdest cell phone cold call yester by JohnFen · · Score: 1

    To a certain degree, it doesn't matter which it was. Your phone is clearly leaking data to somebody, and you probably want to fix that.

    If you're running Android and have updated to a reasonably recent version of Google Maps, then that's probably your problem. They added a "feature" to allow this. If that's the cause, they did also add a new option to disable it, or (better) you can disable location services, or (best) you can uninstall the app entirely.

  25. Re:Only apps can app apps! by Anonymous Coward · · Score: 1

    For the few websites I browse on my phone they're constantly asking me to install their application instead. There is no way to block these messages because the host benefit from apps far more than a website visit.

  26. Just sayin' by jabberw0k · · Score: 3, Insightful

    Stallman was right after all.

  27. Thanks. Any weather app recommendations? by jalvarez13 · · Score: 1

    As I just deleted accuweather form my phone., I'd appreciate suggestions for replacing it!

    1. Re:Thanks. Any weather app recommendations? by danomac · · Score: 1

      If you are looking for the best recommendation that won't slurp your info in some way or another, it would be best to look out the window.

  28. Re:Why is this surprising? by PmanAce · · Score: 1

    Are you telling a company who offers a free app on how to run their business model?

    --
    Tired of my customary (Score:1)
  29. Re:Why is this surprising? by grahammm · · Score: 2

    Get the Android version and it does offer a paid for ad-free version - AccuWeather Platinum.

  30. Yet another reason by c-A-d · · Score: 2

    I don't install apps when a web page is sufficient.

    --
    some karma... and kinda lukewarm about it.
  31. Re:Why is this surprising? by DontBeAMoran · · Score: 1

    If they're trying to ignore privacy laws? Yes I am.

    --
    #DeleteFacebook
  32. Samsung is Worse by Thelasko · · Score: 3, Interesting

    Samsung phones come with a crippled version of AccuWeather installed by default. It's integrated into the firmware and difficult to remove. Does that version track you too?

    --
    One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
    1. Re:Samsung is Worse by JohnFen · · Score: 3, Interesting

      If you're using Ice Cream Sandwich or later then you can disable any app, even the ones that carriers make uninstallable. You can also root the thing and physically delete the app from storage.

    2. Re:Samsung is Worse by Anonymous Coward · · Score: 1

      Settings->applications

      Select the application and tap "disable". Probably want to force close it too.

  33. Skip weather 'apps', just go to Wundergound by Rick+Schumann · · Score: 3, Interesting

    Just go to Weather Underground instead, you don't need an 'app'. Or if you think that's too commercial and you're going to get tracked, then just go to the National Weather Service. Seriously, you don't need an 'app' for everything.

    1. Re:Skip weather 'apps', just go to Wundergound by mjwx · · Score: 1

      Just go to Weather Underground instead, you don't need an 'app'. Or if you think that's too commercial and you're going to get tracked, then just go to the National Weather Service. Seriously, you don't need an 'app' for everything.

      This, for the love of whatever deity or holy person you worship, this.

      OK, I'm on Android, the web browser works well so I tend not to see the cause to have an App and a half for every web service I access. Not sure about IOS, I like to maintain my standards.

      I can think of three reasons you'd use an app over a web service.

      1. You need content offline. 99% of my web services require live results (I.E. bank, weather, news).

      2. You need access to local compute resources or hardware that is not accessible remotely. I.E. accelerometer or gyroscope. Thinking of navigation apps.

      3. Your browser is so shitty it cant render anything as well as a laptop/desktop. Never encountered this since getting my first Android phone.

      The overwhelming majority of apps do not meet any of these criteria. I suspect most of them are simply tools for collecting data.

      Also, smug mode on, for all the vaunted security of IOS, it turns out this is right under their noses and I suspect is very wide spread.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
  34. What's tomorrow's weather? by Tsolias · · Score: 1

    It's gonna have heavy lawsuit rain tomorrow. Consider getting a lawyer before leaving home.

  35. its not popular by Osgeld · · Score: 1

    its forced onto you by just about every device maker in the universe, if you actually sit down and LOOK at it, succuweather is highly inaccurate and almost useless

    for instance glancing at succuweather, on my phone its 10 degrees cooler than weather undergound, weather.com, google, and my local news station which are all in 1 degree of each other. Lot of fat fucking good it does me to know what the weather was ... 5 hours ago

  36. Re:Why is this surprising? by CodeArtisan · · Score: 1

    Display ads, don't steal user data.

    Ads don't generate sufficient revenue and the race to bottom on app pricing means selling them for 99c doesn't generate enough turnover to support them.

  37. Re:Why is this surprising? by DontBeAMoran · · Score: 1

    My pay check doesn't generate sufficient revenue and the HB-1 salaries means my yearly salary doesn't generate enough to support me. So I'll just steal from everyone instead.

    How stupid does that sound? Because that's what you just said when defending those assholes.

    --
    #DeleteFacebook
  38. Re: Why is this surprising? by PmanAce · · Score: 1

    What are they stealing? Your position?

    --
    Tired of my customary (Score:1)
  39. How this is still possible today? by Anonymous Coward · · Score: 1

    How can any smartphone app ignore system settings?
    Aren't they running in sandbox?
    Aren't they run buy a virtual machine?
    Isn't that virtual machine doing any security policy checks on the app instructions to be run?

  40. Re:Only apps can app apps! by Aighearach · · Score: 1

    I would have thought that stories like this expose the deeply insightful nature of his frivolous-sounding blather.

    I'm enough of a LUDDITE that I don't app apps, and I use a regular website to access weather information; even from a mobile device.

    You don't need a hoverboard for each foot to garden in the rain, you just needs some good clogs.

    And if did want to use an app, it would be open source.

  41. Re:OT got the wierdest cell phone cold call yester by Aighearach · · Score: 1

    My family travels with smart phones, but we don't use those sorts of apps. We don't get that sort of spam.

    The stuff that leaks from credit card usage doesn't give out your info, but if you use third party banking apps those are unregulated and can do anything with your data without telling you. That's why I only use mobile banking provided directly by my bank.

    The reality is that any app that asks for permission to know your location is a suspect. If you install apps with that permission, and they also ask for your phone ID, you can be pretty certain that they're selling your data. Your travel itinerary was probably sold separately numerous times; one time for each app you gave that combination of permissions to! Furthermore, some websites ask for that information; if you never turned it off in your browser, you might be leaking it there too.

    But this story shows, it isn't enough just to be wary of app permissions; even apps without excess permissions are dangerous! Software tools are powerful, downloading random shit was stupid in the `90s, and it is still stupid today. And the average user still does it without any sense of caution at all.

  42. Re:Why is this surprising? by schleimkeim · · Score: 1

    Or you know, don't do any of that.

  43. Re:Why is this surprising? by EvilSS · · Score: 1

    Yea but as far as privacy goes that's like jumping out of the pan and into the eternal flames of hell.

    --
    I browse on +1 so AC's need not respond, I won't see it.