Slashdot Mirror

← Back to Stories (view on slashdot.org)

Popular Weather App AccuWeather Caught Sending User Location Data, Even When Location Sharing is Off (zdnet.com)

Posted by msmash on from the beware dept.

Zack Whittaker, reporting for ZDNet: Popular weather app AccuWeather has been caught sending geolocation data to a third-party data monetization firm, even when the user has switched off location sharing. AccuWeather is one of the most popular weather apps in Apple's app store, with a near perfect four-star rating and millions of downloads to its name. But what the app doesn't say is that it sends sensitive data to a firm designed to monetize user locations without users' explicit permission. Security researcher Will Strafach intercepted the traffic from an iPhone running the latest version of AccuWeather and its servers and found that even when the app didn't have permission to access the device's precise location, the app would send the Wi-Fi router name and its unique MAC address to the servers of data monetization firm Reveal Mobile every few hours. That data can be correlated with public data to reveal an approximate location of a user's device. We independently verified the findings, and were able to geolocate an AccuWeather-running iPhone in our New York office within just a few meters, using nothing more than the Wi-Fi router's MAC address and public data.

17 of 124 comments (clear)

  1. Deleted by CycleFreak · · Score: 2

    Damnit! I really like the AccuWeather app.

    Now it's uninstalled.

    Is it really so hard to make money with an app that user data has to be stolen to make a profit?

    1. Re:Deleted by ctilsie242 · · Score: 2

      No VC will touch a business unless it sucks data, slings ads, or both.

  2. That free app going to cost AccWeather a fortune by JoeyRox · · Score: 4, Funny

    In lawsuits, and deservedly so.

  3. Re:Why is this surprising? by DontBeAMoran · · Score: 2, Insightful

    Display ads, don't steal user data.

    --
    #DeleteFacebook
  4. OT got the wierdest cell phone cold call yesterday by GodfatherofSoul · · Score: 2, Interesting

    So, went on an eclipse mini-vacation and I guess drove near the vicinity of a some trigger point. The caller was asking for another name, but still proceeded to sell me a pitch for a vacation spot I had "driven past." Now, was it my credit card company, the cell phone company, or the data-only account on my tablet who was responsible for leaking my location in real time to a vendor?

    --
    I swear to God...I swear to God! That is NOT how you treat your human!
  5. No shock by bloodstar · · Score: 4, Interesting

    After all accuweather had previously tried to convince Congress to gut the NWS so they could make money: http://www.politico.com/story/... So the idea that Accuweather would do something shady isn't without precedent.

    --
    "The bass, the rock, the mic, the treble. I like my coffee black, just like my metal" - Mindless Self Indulgence
  6. Change your router name to by bobstreo · · Score: 4, Funny

    DROP TABLE location;

  7. They can't even see their own lie by JohnFen · · Score: 3, Insightful

    we take privacy issues very seriously," the spokesperson said. "We work to have our [terms of service and agreements] as current as the law is evolving and often beyond that which may be legally required to protect the privacy of our users."

    If you're only doing what's "legally required", then you aren't, in fact, taking privacy issues "very seriously".

  8. Re:WiFi Router Name? by EvilSS · · Score: 2

    Apps can access the router name and MAC to know when you connect to a device to do a first time setup. A lot of IOT (*insert IOT rants here*) setup a temp hotspot that you connect to then use the app to configure it. It then shuts down the ad-hoc and connects to your local WiFi that you configure.

    This obviously needs to be locked behind a permission prompt like location is. *sigh* This is why we can't have nice things....

    --
    I browse on +1 so AC's need not respond, I won't see it.
  9. Just sayin' by jabberw0k · · Score: 3, Insightful

    Stallman was right after all.

  10. Re:Why is this surprising? by grahammm · · Score: 2

    Get the Android version and it does offer a paid for ad-free version - AccuWeather Platinum.

  11. Re:WiFi Router Name? by c-A-d · · Score: 4, Informative

    That is incorrect. Your MAC address is not contained in the IP Packet. MAC is a layer 2 addressing system while IP is layer 3. The only way for your MAC address to be shared via Layer 3 is if some application has accessed the OSI stack and pulled MAC information from that and then explicitly sent it to a server as part of a payload.

    --
    some karma... and kinda lukewarm about it.
  12. Yet another reason by c-A-d · · Score: 2

    I don't install apps when a web page is sufficient.

    --
    some karma... and kinda lukewarm about it.
  13. Samsung is Worse by Thelasko · · Score: 3, Interesting

    Samsung phones come with a crippled version of AccuWeather installed by default. It's integrated into the firmware and difficult to remove. Does that version track you too?

    --
    One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
    1. Re:Samsung is Worse by JohnFen · · Score: 3, Interesting

      If you're using Ice Cream Sandwich or later then you can disable any app, even the ones that carriers make uninstallable. You can also root the thing and physically delete the app from storage.

  14. Skip weather 'apps', just go to Wundergound by Rick+Schumann · · Score: 3, Interesting

    Just go to Weather Underground instead, you don't need an 'app'. Or if you think that's too commercial and you're going to get tracked, then just go to the National Weather Service. Seriously, you don't need an 'app' for everything.

  15. Re:WiFi Router Name? by Nethead · · Score: 2

    Just to be a jerk I'll mention the IPv6 EUI-64 format address. That is layer 3, or as layer 3 as IP gets.

    --
    -- I have a private email server in my basement.