AccuWeather Updates Its iOS App To Address Privacy Outcry (techcrunch.com)

← Back to Stories (view on slashdot.org)

AccuWeather Updates Its iOS App To Address Privacy Outcry (techcrunch.com)

Posted by msmash on Thursday August 24, 2017 @05:20AM from the please-forgive-us dept.

Taylor Hatmaker, writing for TechCrunch: Responding to privacy concerns, AccuWeather is out with a new version of its iOS app that removes a controversial data sharing behavior. Earlier this week, security researcher Will Strafach called attention to the practice in a post and users took to Twitter to announce their intention to dump the app in droves. "AccuWeather's app employed a Software Development Kit (SDK) from a third party vendor (Reveal Mobile) that inadvertently allowed Wi-Fi router data to be transmitted to this third-party vendor," the company wrote in a statement accompanying the app update. "Once we became aware of this situation we took immediate action to verify the operation and quickly disabled the SDK from the IOS app. Our next step was to update the IOS app and remove Reveal Mobile completely."

54 comments

Min score:

Reason:

Sort:

Reveal Mobile, who could have known... by kbdd · 2017-08-24 05:22 · Score: 1

With a name like this, who could have known it would reveal information about mobile users?
I certainly did not see it coming!
1. Re:Reveal Mobile, who could have known... by Anonymous Coward · 2017-08-24 05:28 · Score: 0
  
  Apparently, not AccuWeather as they tried to deny it at first. Wading Through AccuWeather's Response
Translation: "We're sorry we got caught" by ausekilis · 2017-08-24 05:26 · Score: 3, Insightful

Hey Mr CEO, you've still got a little egg on your face. Right there on your chin.
1. Re:Translation: "We're sorry we got caught" by Anonymous Coward · 2017-08-24 05:28 · Score: 1
  
  [wipes his chin with a $100 bill] "Thanks bud."
Comforting by Zeromous · 2017-08-24 05:27 · Score: 1

No mention of Android, for better or worse.

--
---Up Up Down Down Left Right Left Right B A START
1. Re:Comforting by bluefoxlucid · 2017-08-24 05:38 · Score: 4, Interesting
  
  Having seen the quality of programming most people put out, the "wtf this library does that?!" line sounds like exactly what happened.
  You should see how much asinine shit I go back and un-create when I realize Docker or Ansible or some other such system has capabilities that I'd achieved with poorly-implemented, clunky scripts and clever playbook design. Programmers have it worse: they've got enormous, complex libraries, and they're universally bad at their jobs to the point that the Perl official documentation contained a Hello, World program in 5 lines that was remotely-exploitable--an obvious flaw if you know some obscure facts about how Perl works that even Larry Wall apparently forgot about. (programming r hard)
  A lot of people think about programming like "I want to tell the computer to draw a house." No, you want to tell the computer to take a series of sensitive, highly-specific steps resulting in a figure shaped like a house on your screen. When you juggle user input, you have to figure out how that input can affect those steps, and ensure that the broad possibilities all fall into well-defined categories of outcomes, or else you have security vulnerabilities. When you use a third-party library, you're blindly using a pile of code that appears to do the right thing where you're looking, but who knows what it's doing in places you're not looking?
  Rather than specifically-engineering each step along the way, programmers generally find a tool that does the job and verify that it produces the right result. That's reasonable enough, and this is what happens.
  
  --
  Support my political activism on Patreon.
2. Re:Comforting by bluefoxlucid · 2017-08-24 05:39 · Score: 0
  
  Bah, I was trying to reply to this post.
  
  --
  Support my political activism on Patreon.
3. Re:Comforting by Anonymous Coward · 2017-08-24 06:02 · Score: 0
  
  Considering Google just pulled over 500 backdoored apps with 100M downloads from their app store, I'm not sure things are all that rosy on that side of things, either. lol
4. Re:Comforting by JohnFen · 2017-08-24 06:43 · Score: 1
  
  Probably worse. It seems very likely to me that what a developer puts into the product for one platform was also put into the product on other platforms.
5. Re:Comforting by Anonymous Coward · 2017-08-24 07:08 · Score: 0
  
  One issue is that devs are under the gun to get something out there by the sprint deadline. If it means using a mishmash of shit-tastic libraries, so be it. Better that than to be reprimanded every day at the morning stand-up meeting that those items are not done yet (with everyone in the group remembering the PM's daily chastisement about why it isn't done yet, which will affect employee reviews.) If it takes using some unknown Git repository and getting a product out, so be it. Bugs are new tickets, and better to be doing tons of new tickets than to be stuck on the same old task in your swim lane for weeks on end.
  Until this variant of Agile/Scrum is killed, we will keep seeing this happen over and over, just because a dev has to get the problem in front of them done, by any means necessary. If they don't, their job goes offshore, or gets outsourced to the boatloads of H-1Bs.
6. Re:Comforting by LordKronos · 2017-08-24 09:33 · Score: 1
  
  the Perl official documentation contained a Hello, World program in 5 lines that was remotely-exploitable--an obvious flaw if you know some obscure facts about how Perl works that even Larry Wall apparently forgot about
  I would love to see that. Got a link? I tried googling but couldn't come up with anything.
7. Re:Comforting by Anonymous Coward · 2017-08-24 14:47 · Score: 0
  
  He's referring to that guy that shat on Perl because he doesn't know Perl, and then did another shitting a year later after a lot of people pointed out how wrong he was.
8. Re: Comforting by Anonymous Coward · 2017-08-24 15:03 · Score: 0
  
  Wow...THAT'S clear. I'd also like to know what flaw is being referred to, above.
9. Re:Comforting by bluefoxlucid · 2017-08-25 02:03 · Score: 1
  
  There was this guy who pulled up a 20-year-old bug in Bugzilla that works because lists are processed by iterating as an expression (e.g. if you do $x = (1, 2, 3, 4, 5), you get $x=1; $=x2; $x=3... and end up with $x=5). As a result, if you put the same entry in a hash twice, you get the second one--and, along with a flaw in DBI, he managed to get admin access to Mozilla's bugzilla.
  So everyone whined a lot, and said he's just dumb, and he came back a year later and (at 21:45) shot a remote code execution at something he found in perl's CGI docs by using a special case of file handle interpretation.
  So there are a number of things going on here. For one, perl does some really strange things, and so stuff needs extreme defensive programming because the very language is trying to fuck it all up for you. On top of that, libraries on the back-end--like DBI and the CGI library--don't handle shit very well, at all, and so it becomes possible to pass a parameter as a list and end up overwriting the next parameter to a subroutine call, which lets you do such fun things as disable input validation in DBI; or, even better, actually use perl right, except that the CGI module had a check to see if a variable is a file, but if you gave it a list containing any file it would return true even though many things in the list aren't files. This was all exacerbated by some core perl modules handling user input by turning it into lists, which means end-user input caused polymorphic code.
  So imagine what it's like to be a programmer. Can you tell me every function call you make is only doing exactly what you expect? Of course not; there's too much code back there for you to review. You can verify that it also does what you expect--but not that it does nothing and also what you expect. You've got limited time to invest in gaining the certainty of what any particular library or function does in total, so there will only be a subset of such things to which you can attest.
  Interestingly, Reveal Mobile has this in their documentation:
  
  "While traditional lat/long audiences require the app to be open and running, detecting or 'bumping' beacons can occur when apps are not in use," the company writes. "This allows Reveal Mobile to build larger, and more accurate, location-based audiences."
  And they issued this statement:
  
  We don't attempt to reverse engineer a device's location if someone opts out of location services, regardless of the data signal it comes from. In looking at our current SDK's behavior, we see how that can be misconstrued. In response to that, we're releasing a new version of our SDK today which will no longer send any data points which could be used to infer location when someone opts out of location sharing.
  "It sends things, but we don't use those things for that purpose. I know, it looks weird, but trust us."
  ......... well okay then!
  
  --
  Support my political activism on Patreon.
The part I don't get by 93+Escort+Wagon · 2017-08-24 05:27 · Score: 1

Is there a legitimate reason an application should be able to access your wireless network's name and/or BSSID?
We regularly see complaints from developers that Apple won't give them broad enough access to user data. However, on the face of it, this seems to be a case where an API can get access to data it has no good reason to need access to.

--
#DeleteChrome
1. Re:The part I don't get by Anonymous Coward · 2017-08-24 05:33 · Score: 1
  
  Is there a legitimate reason an application should be able to access your wireless network's name and/or BSSID?
  So the vendor can sell it and your location to Reveal Mobile.
2. Re:The part I don't get by geekmux · 2017-08-24 05:41 · Score: 1
  
  Is there a legitimate reason an application should be able to access your wireless network's name and/or BSSID?
  We regularly see complaints from developers that Apple won't give them broad enough access to user data. However, on the face of it, this seems to be a case where an API can get access to data it has no good reason to need access to.
  The semi-legitimized reason was to gather location data to tailor the app and provide you with local weather info.
  That activity became offensive only because they were caught selling it to a 3rd party.
  What I fail to understand is why the hell they didn't just program the app to ask for GPS access. Plenty of other apps do, and consumers happily hand that shit out all day long.
3. Re:The part I don't get by JaredOfEuropa · 2017-08-24 05:52 · Score: 1
  
  I used this in a home automation app, where having the connection set up as fast as possible adds a lot to the user experience. The app remembers your home's SSID, and when you are on your home wifi it will hit the local address. When you are on LTE or on some other Wifi (different SSID), it'll hit the remote access gateway service.
  
  Sure, another strategy is to just try both connections at once, but I didn't want to hit the remote service when not needed.
  
  --
  If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
4. Re:The part I don't get by JohnFen · 2017-08-24 06:41 · Score: 4, Insightful
  
  That activity became offensive only because they were caught selling it to a 3rd party.
  I disagree. I think it became offensive when the app went out of its way to gather location information after the user specifically and intentionally disabled location information.
5. Re:The part I don't get by JohnFen · 2017-08-24 06:46 · Score: 1
  
  Is there a legitimate reason an application should be able to access your wireless network's name and/or BSSID?
  Sure. There are tons of useful (to the user) things that can be done if you have that ability. If I couldn't make or use apps that accessed that information, I'd consider the platform broken.
  The key, though, is that the user must remain in control and be able to prevent apps from getting that (or any) data if they choose.
6. Re:The part I don't get by plover · 2017-08-24 07:11 · Score: 4, Informative
  
  The part I don't get is why people use AccuWeather. The National Weather Service has extremely high quality forecasts right there on their web page, and if you visit http://mobile.weather.gov/ in your iOS device and tap "Share/Add To Home Screen", it's wrapped up behind an icon and "acts" like an app. As a plus, you've already paid for them with your taxes. And they have no privacy violating trackers on their page, not even a google analytics link.
  Most importantly, you're not feeding some shitty company who has been trying to make the National Weather Service lock up our public weather data, and who bought and paid for a U.S. senator for exactly that purpose.
  
  --
  John
7. Re:The part I don't get by geekmux · 2017-08-24 07:29 · Score: 2
  
  That activity became offensive only because they were caught selling it to a 3rd party.
  I disagree. I think it became offensive when the app went out of its way to gather location information after the user specifically and intentionally disabled location information.
  We would live in a world seething with wisdom and intelligence if people were actually offended about corporations fucking them over. Laziness, ignorance, and stupidity paint the reality we have instead.
8. Re:The part I don't get by Wolfrider · 2017-08-24 07:32 · Score: 1
  
  --I wish I had mod points... +1 Insightful
  
  --
  .
  == WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
9. Re:The part I don't get by Wolfrider · 2017-08-24 07:36 · Score: 1
  
  --Thank you for that, gonna use it right away :)
  
  --
  .
  == WolfriderV6 == I'm willing to admit that *I just might* be wrong... Are you??
10. Re:The part I don't get by Anonymous Coward · 2017-08-24 08:14 · Score: 0
  
  That activity became offensive only because they were caught selling it to a 3rd party.
  I disagree. I think it became offensive when the app went out of its way to gather location information after the user specifically and intentionally disabled location information.
  We would live in a world seething with wisdom and intelligence if people were actually offended about corporations fucking them over. Laziness, ignorance, and stupidity paint the reality we have instead.
  Although I agree in part, I think most people live in a hedonistic fantasy world- they ignore the problems and potential problems, mentally living in imagined bliss... which I blame on the "education" system. People are not taught nor encouraged to think for themselves, but to do as they're told, respect "authority", etc.
11. Re:The part I don't get by LordKronos · 2017-08-24 10:05 · Score: 1
  
  I've never tried the mobile.weather.gov so I just checked it out. Yes it has the basic information, but it's not presented nearly as nice as accuweather.
  Try to look at the forecast for the next 5 days to see high/low temps. With weather.gov, you need to scroll several screen because the high and low temperatures are each in a big block that takes 1/4 the screen, and your eyes have to wade through the day name, the overall condition name ("mostly sunny", "partly cloudy", etc) and a text description that is mostly redundant (most days it just repeats the overall condition name and the temp in sentence form, with some occasional extra info about chance of rain or whatever). Now try the same in accuweather. Easy. In a single screen I can see 6 whole days of forecast, no scrolling necesary. Further more, because it's in table format I can easily scan down the list of high/low temps without having to wade through any text. The condition graphics are a bit more meaningful. Its easier to see at a glance when rain is likely.
  Now lets look at the radar. With the accuweather app it's easy because the common links are always at the top of the screen. On mobile.weather.gov you need to click back to get to the main screen, then scroll down to find the link to radar. Personally I also like the appearance/presentation of accuweather maps infinitely better...it looks nicer, you can zoom in better to see precisely where the rain is (or zoom out to get a better idea of whats a bit further away), and it filter out all the spurious radar blips/noise.
  Same thing for hourly forecast...easier to access on accuweather because it's a tab at the top of every screen instead of having to find and drill down into the right block.
  Now what if you like to check weather for multiple locations? On mobile.weather.gov you have to go back to the main screen, scroll back to the top, go to a different page to select your other location, then renavigate to what you were trying to check out. On accuweather you click an icon and a panel slides out with all your locations. Pick your new location and your are right back in the screen where you started. No navigation necessary
  Finally a feature I love on accuweather....the 120 minute precipitation forecast. I find it very handy. I see nothing even remotely like it on mobile.weather.gov
  So yeah, what you've got there is a totally free alternative that gives you most of the info, but it's not nearly as conveniently organized or as feature complete. If you like it, wonderful, but it shouldn't be a surprise that some people prefer the better packaging.
12. Re:The part I don't get by CanadianMacFan · 2017-08-26 07:01 · Score: 1
  
  I agree with your points and wanted to add the following.
  Having a web page isn't very handy to quickly look up the weather. I like having an app that I can add a widget to the notification centre and glance at to see the temperature when my phone is locked. I know that there are, or at least were, apps that let you embed pages as widgets but then I have to buy another app. And Apple limits how much space is shown so if the website doesn't show the information you are after you'll have to unlock the phone to go visit the page.
  Plus, not everyone is in the US. So while a bunch of people are posting the US weather service URL it doesn't do people in other countries a lot of good. Not every other country has a good weather service. I'm lucky because Environment Canada is good but I'd still much prefer an app than having to go to a webpage every time I wanted to check the weather.
  While I generally dislike it when websites are turned into apps, weather apps have differentiated themselves enough from websites that I prefer the apps.
naive by supernova87a · 2017-08-24 05:28 · Score: 5, Interesting

I mean, maybe I'm just naive, but don't most people just assume that your phones/apps are leaky and not rely on them to say that they're protecting your privacy? I think it's worse that you act based on the assumption that your info is not being collected/transmitted/sold/leaked to others...
1. Re:naive by Anonymous Coward · 2017-08-24 05:38 · Score: 1
  
  This is wise counsel but we should still make others aware when we know it is going on.
2. Re:naive by Anonymous Coward · 2017-08-24 05:45 · Score: 0
  
  Naive perhaps... but I think it's worse to quietly accept 24/7 surveillance, regardless of who is doing it.
3. Re:naive by Anonymous Coward · 2017-08-24 06:04 · Score: 2, Funny
  
  This is wise counsel but we should still make others aware when we know it is going on.
  This is but one story out of 100 that has come along in the last few years regarding privacy and data leaks.
  How many licks does it take to get to the rock-filled center of the average dumbass consumer?
4. Re:naive by JohnFen · 2017-08-24 06:49 · Score: 1
  
  I mean, maybe I'm just naive, but don't most people just assume that your phones/apps are leaky and not rely on them to say that they're protecting your privacy?
  They should, but I think most people just don't think about it at all.
  I consider all programs that I have not written to be security risks, personally. That's why I firewall off every piece of software by default.
5. Re:naive by dmomo · 2017-08-24 07:03 · Score: 1
  
  Sure, but that doesn't mean you need to be complacent when you see it happening.
6. Re:naive by Threni · 2017-08-24 10:13 · Score: 1
  
  You're special. Most people don't give a shit if the app they use makes a note of where they are more accurately than they need to. Because the phone already knows exactly where you are, and people know this, and they assume the information is available. If they gave a shit they'd not use smartphones, or they'd be more careful.
Surprise! by tsqr · 2017-08-24 05:38 · Score: 2

Once we became aware of this situation
Translation: once we became aware that we'd been caught doing this
Sooo tired of this... by Anonymous Coward · 2017-08-24 05:39 · Score: 1

Company look at it... "We can make more money by screwing our customer over"
"Can we get caught?"
"Yes bt its remote and need very talented people to find out"
"Ok do it, we'll handle it if we get caught"
IM TIRED THAT MONEY RUNS EVERYTHING....
THIS NEED TO CHANGE
Bullshit Cover-up! by Anonymous Coward · 2017-08-24 05:39 · Score: 0

Really? You didn't really know?
Egg or... by sjbe · 2017-08-24 05:41 · Score: 2

Hey Mr CEO, you've still got a little egg on your face. Right there on your chin.
I don't think that's egg. It's a little more like... ewwwww
Nope by sjbe · 2017-08-24 05:43 · Score: 2

I mean, maybe I'm just naive, but don't most people just assume that your phones/apps are leaky and not rely on them to say that they're protecting your privacy?
No, most people don't give the matter a second thought.
1. Re:Nope by Anonymous Coward · 2017-08-24 06:09 · Score: 0
  
  how could you possible know that? Oh, that's right, you couldn't and you don't.
  Shut the fuck up you dick-nozzle.
What about Android? by oldmacdonald · 2017-08-24 05:44 · Score: 1

Did they fix the Android app too?
As George W. Bush once said: by Oswald+McWeany · 2017-08-24 05:46 · Score: 2

As George W. Bush once said:
“There's an old saying in Tennessee — I know it's in Texas, probably in Tennessee — that says, fool me once, shame on — shame on you. Fool me — you can't get fooled again.”
I certainly wouldn't trust AccuWeather again.

--
"That's the way to do it" - Punch
1. Re:As George W. Bush once said: by Anonymous Coward · 2017-08-24 06:37 · Score: 0
  
  Most people don't know this, but that was actually the most intelligent thing he ever said as president.
future by Anonymous Coward · 2017-08-24 05:46 · Score: 0

I guess they'll have to be more stealthy in the future. Dummies
Boo AccuWeather, too late for action now by adosch · 2017-08-24 05:47 · Score: 1

I'm not as surprised as I am a bit confused as to why every tech-related company and their CEO/CIO/COO/CTO decides to do some overbearing data collection secrecy and bury it in a T&S agreement, all-the-while knowingly have a pretty good idea that there is going to be a massive end-user boycott, push-back and the venom that is social media isn't going to propagate it like a pandemic disease?
I'm sure I've seen this movie before like the rest of you --- heck, Plex was just in the news about this, so it's not like any company, their management driving the decisions are naive what-so-ever; it would never work to say you would have never guessed this type of backlash before, plenty of examples all over.
It's either the classic I-dont-give-a-fuck pompous stance in the conference room, the probability is that high that they could eek a change every once in without a gazillion of their user base knowing (or caring), or maybe I greatly under-estimate just how much value monetarily and also an in-house asset all user habit and usage data really is.
1. Re:Boo AccuWeather, too late for action now by JohnFen · 2017-08-24 06:58 · Score: 1
  
  I don't know about AccuWeather, but plenty of companies do a cost/benefit calculation to decide whether or not they're going to do something terrible. If they figure that they'll end up making more money than they'll lose when they get caught, then it's full steam ahead.
Granularity controls by bobstreo · 2017-08-24 05:56 · Score: 3, Interesting

There should be controls for everything an app can access built into all these portable computers. You should be able to lock out application access to location/bluetooth/wifi/contacts...
Otherwise, back to a flip phone. They're fine for texting and making/receiving phone calls. Not so good for youtube or facebook, and that's a good thing.
1. Re:Granularity controls by Archon · 2017-08-24 06:13 · Score: 2
  
  Android: Settings > Apps & notifications > App permissions
  iOS: Settings > Privacy
Sure you didn't by DaMattster · 2017-08-24 06:21 · Score: 2

"Once we became aware of this situation we took immediate action to verify the operation and quickly disabled the SDK from the IOS app. Our next step was to update the IOS app and remove Reveal Mobile completely." - IIRC, they denied it at first.
1. Re:Sure you didn't by freeze128 · 2017-08-24 06:28 · Score: 1
  
  So AccuWeather loses points for "not being aware" of things that are obvious.
2. Re:Sure you didn't by sit1963nz · 2017-08-24 09:03 · Score: 1
  
  What they actually meant was
  
  "Once we became aware the reputable 3rd party discovery of this situation we took immediate action to Deny and obfuscate the operation and quickly cast doubt on the SDK from the IOS app. Our next step was to fess up , go into damage control and claim we did not know and then update the IOS app and remove Reveal Mobile completely"
inadvertently? by Anonymous Coward · 2017-08-24 06:43 · Score: 0

"AccuWeather's app employed a Software Development Kit (SDK) from a third party vendor (Reveal Mobile) that inadvertently allowed Wi-Fi router data to be transmitted to this third-party vendor,"
inadvertently? don't think so. It was definitely intentionally in the SDK, and either intentionally or incompetently in the App. But definitely not inadvertently.
Xfinity apps - SSID by Anonymous Coward · 2017-08-24 07:28 · Score: 0

I'm surprised that nobody has called out Xfinity for passing along SSID in their mobile apps. They use multiple analytics SDKs that pass around the info. They've brushed it off as needing to "collect" the SSID to provide service, even though nothing stops the user from changing the SSID on their home network or owning their own router.
This seems just as wrong as AccuWeather.
Comcast injects pop-ups by tepples · 2017-08-24 10:26 · Score: 1

nothing stops the user from changing the SSID on their home network or owning their own router.
Other than that if you subscribe to home high-speed Internet in a Comcast territory, and you're not renting Comcast's latest gateway, Comcast will inject pop-up ads for its gateway into randomly chosen HTML responses in cleartext HTTP connections that your PCs, tablets, and smartphones make. (Source; Source; Source) Is this a reason to break down and rent Comcast's gateway? Or to boycott sites not available through HTTPS? Or to ditch Comcast and instead pay nearly 100 times more per GB for satellite or home cellular?