Storm breaks over AccuWeather phoning home without consent

How do you feel about apps tracking you even when you’ve explicitly told them not to? The iOS version of AccuWeather was found to be doing just that by security researcher Will Strafach.

Strafach had peeked into the AccuWeather application (iOS version) and discovered the application was phoning home, even when told not to do so.

This is not the first time an entity has found itself explaining why its app functions differently than expected. In April 2017, Uber’s then CEO, Travis Kalanick found himself receiving a dressing down from Apple’s CEO Tim Cook for “secretly identifying and tagging” iPhones.

This instance is disconcerting, but not as egregious.

According to ZDNet’s Zach Whittaker, who shared Strafach’s research on August 22, the AccuWeather application continues sending data that could be used to deduce location, even when the application was explicitly told to not share location data. This data is shared with Reveal Mobile, the third-party intermediary collecting the location data for AccuWeather’s use.

When users of the AccuWeather app have their GPS location data settings turned off for use with the application, the application stops sending the precise location data to the application’s servers. What Strafach’s findings showed is that the app continued to intermittently share the Wi-Fi router name and MAC address.

With such information, it is child’s play to convert that information into a general geographic location. While there are a great many geolocation applications, ZDNet used the Find Wi-Fi app created by Alexander Mylnikov. We put our own device data into this free app and it immediately found our location with pinpoint accuracy.

Strafach confirmed to Naked Security that he had only looked at the iOS version of the application, and had not review the Android version to determine if it operated in the same manner. He hoped that if the iOS version were fixed, they would also fix the Android one, if applicable.

We reached out to Reveal Mobile and asked for clarification. It acknowledged that the MAC address is obtained, as is the Wi-Fi name, but said that it isn’t using the data in the manner depicted in the ZDNet piece. Nonetheless, they understood the need to make an adjustment.

Reveal Mobile’s issued guidance on August 21,  in which it acknowledged that in “looking at our current SDK’s behavior, we see how that [device location] can be misconstrued”. Reveal told us that users who do not wish to share their location should ensure they have opted-out at both device and application level permissions. The guidance also notes that Reveal Mobile “provides the ability for anyone to opt-out of data collection by Reveal Mobile by contacting us directly”.

The new SDK (for both iOS and Android) was released on August 22 with more explicit details within the documentation.  It says:

Reveal Mobile provides a native mobile audience SDK that allows developers to provide targeted audiences to their ad network based on a user’s location, beacon interactions and installed applications.

We dug into the referenced Reveal Mobile’s privacy policy, and it explicitly notes:

The IP addresses to which your device connects.  When your phone or tablet connects to WiFi, for example, it connects to a specific IP address.  We collect these IP addresses as it can help determine other devices that connect to the same WiFi, such as your home laptop or desktop computer.

The wifi router to which your device connects. When your phone connects to a wifi router, we receive back the names of that router, known as the SSID and BSSID.

So what should you do if you’re an AccuWeather user – either on iOS or Android?

  • Turn off your device’s GPS function
  • Opt out for location within the application
  • Turn off the device’s WiFi
  • Contact Reveal Mobile directly and ask that your data isn’t collected.