14 DAY TRIAL // AccuWeather is currently one of the top weather applications on mobile devices, so it should come as a big surprise that it might be violating Apple’s guidelines due to data collection running even when users specifically block it from doing this.
Security researcher Will Strafach has conducted an in-depth analysis of the way AccuWeather handles user data collection and discovered that even when users block the application from retrieving their location, some information is still being sent to RevealMobile, a company that helps mobile app developers “generate more mobile revenue,” as their own site explains.
When configuring AccuWeather on an iOS device, giving the permission to track the location to provide the forecast leads to certain data being collected and shared with RevealMobile, including the device’s precise GPS coordinates, the name of the Wi-Fi network the device is connected to, and the current status of the Bluetooth connection.
Data send when location tracking is off
And while this does make sense and it is even included in AccuWeather’s own privacy statement, which nobody reads when running the app for the first time, it’s more interesting to learn what the app does when location tracking is not granted.
RevealMobile still receives some information from the device AccuWeather is running on, including the Wi-Fi network SSID. While at first glance this appears to be harmless, RevealMobile could be able to track geolocation using Bluetooth beacons. From the company’s website:
“Our technology sits inside hundreds of apps across the United States. It turns the location data coming out of those apps into meaningful audience data. We listen for lat/long data and when a device ‘bumps’ into a Bluetooth beacon. The data shown on the following pages reflects 102,535 opted-in location sharing mobile devices that we saw at retail locations Friday, November 25th, 2016.”
At this point, neither Apple nor AccuWeather offered a statement on this analysis, but as the security researcher noted, similar behavior of mobile apps in the past has triggered an FTC investigation, so the forecast provider might be sitting on thin ice here.
UPDATE: AccuWeather and RevealMobile have released a joint statement, promising to update the behavior of the SDK and prevent data from being collected when users do not agree with this. AccuWeather says Wi-Fi info is not user information, and even though such data was collected, nobody used it. Below is the full statement released today:
"Despite stories to the contrary from sources not connected to the actual information, if a user opts out of location tracking on AccuWeather, no GPS coordinates are collected or passed without further opt-in permission from the user.
Other data, such as Wi-Fi network information that is not user information, was for a short period available on the Reveal SDK, but was unused by AccuWeather. In fact, AccuWeather was unaware the data was available to it. Accordingly, at no point was the data used by AccuWeather for any purpose.
AccuWeather and Reveal Mobile are committed to following the standards and best practices of the industry. We also recognize this is a quickly evolving field and what is best practice one day may change the next. Accordingly, we work to update our practices regularly.
To avoid any further misinterpretation, while Reveal is updating its SDK, AccuWeather will be removing the Reveal SDK from its iOS app until it is fully compliant with appropriate requirements. Once reinstated, the end result should be that zero data is transmitted back to Reveal Mobile when someone opts out of location sharing. In the meanwhile, AccuWeather had already disabled the SDK, pending removal of the SDK and then later reinstatement.
Reveal has stated that the SDK could be misconstrued, and they assure that no reverse engineering of locations was ever conducted by any information they gathered, nor was that the intent.
AccuWeather will to update its practices, communications and ULAs to be transparent and current with evolving standards. AccuWeather and Reveal continue to enhance methods for handling data and strive to provide superior, seamless, and secure user experiences.
We are grateful to have a supportive community that highlights areas where we can optimize and be more transparent."
UPDATE 2: AccuWeather has released an update for the iOS version that removes the functionality of the SDK collecting user data. The version is labeled 10.5.3.
UPDATE 3: It turns out that AccuWeather still shares user data without consent despite the update. The company hasn't issued a statement this time, but a third-party admitted it receives user data through a SDK integrated into the iOS weather app.
