Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
IOS Iphone Privacy The Internet

Popular Weather App AccuWeather Caught Sending User Location Data, Even When Location Sharing is Off (zdnet.com) 124

Zack Whittaker, reporting for ZDNet: Popular weather app AccuWeather has been caught sending geolocation data to a third-party data monetization firm, even when the user has switched off location sharing. AccuWeather is one of the most popular weather apps in Apple's app store, with a near perfect four-star rating and millions of downloads to its name. But what the app doesn't say is that it sends sensitive data to a firm designed to monetize user locations without users' explicit permission. Security researcher Will Strafach intercepted the traffic from an iPhone running the latest version of AccuWeather and its servers and found that even when the app didn't have permission to access the device's precise location, the app would send the Wi-Fi router name and its unique MAC address to the servers of data monetization firm Reveal Mobile every few hours. That data can be correlated with public data to reveal an approximate location of a user's device. We independently verified the findings, and were able to geolocate an AccuWeather-running iPhone in our New York office within just a few meters, using nothing more than the Wi-Fi router's MAC address and public data.
This discussion has been archived. No new comments can be posted.

Popular Weather App AccuWeather Caught Sending User Location Data, Even When Location Sharing is Off

Comments Filter:
  • Sorry if i've mis understood something, but I thought the 'WiFi Router name' (I assume meaning SSID, if it was the BSSID it would be even worse!) was only available through APIs when loc services are enabled? Have I missed something, or is it a bug in the Location Services API?
    • MAC address (unique to every network interface), not SSID. MAC address is contained in the IP packet, and is not private information. If you/your router has communicated with any server, that server can record its MAC address, and assign it with a geographic location your phone has already transmitted prior, or use an estimate location (i.e. whatismyipaddress.com).

      • Re:WiFi Router Name? (Score:5, Informative)

        by c-A-d ( 77980 ) on Tuesday August 22, 2017 @04:11PM (#55065585)

        That is incorrect. Your MAC address is not contained in the IP Packet. MAC is a layer 2 addressing system while IP is layer 3. The only way for your MAC address to be shared via Layer 3 is if some application has accessed the OSI stack and pulled MAC information from that and then explicitly sent it to a server as part of a payload.

        • by Nethead ( 1563 )

          Just to be a jerk I'll mention the IPv6 EUI-64 format address. That is layer 3, or as layer 3 as IP gets.

          • by Agripa ( 139780 )

            Which is why the privacy extensions were added to IP6 where the MAC address may be replaced with a random address.

      • by Anonymous Coward

        The MAC address is absolutely NOT contained in a Layer 3 IP packet. It is contained in the Layer 2 Ethernet Frame, which is NOT routed. The MAC address is only visible to on-device API's and the Layer 2 peer you are connected to. (upstream router, switch, etc.) Carry on.

    • by EvilSS ( 557649 )
      Apps can access the router name and MAC to know when you connect to a device to do a first time setup. A lot of IOT (*insert IOT rants here*) setup a temp hotspot that you connect to then use the app to configure it. It then shuts down the ad-hoc and connects to your local WiFi that you configure.

      This obviously needs to be locked behind a permission prompt like location is. *sigh* This is why we can't have nice things....
  • Damnit! I really like the AccuWeather app.

    Now it's uninstalled.

    Is it really so hard to make money with an app that user data has to be stolen to make a profit?

    • No VC will touch a business unless it sucks data, slings ads, or both.

      • Which is part of why VCs are actively harmful to society at large.

        • Don't worry, most of them will be wiped out in the next 5 years.

          They knew this, even in Hollywood back in 1987:

          (in regards to a company being labeled a sure thing)

          "No such thing except death and taxes. No fundamentals, not a good company any more. What's going on, Bud? You know something? Remember there are no shortcuts, son. Quick buck artists come and go with every bull market, but the steady players make it through the bear market. You're a part of something here, Bud. The money you make for people creat

    • If it turns out that it isn't possible, there are also open source apps, and weather is always going to be available over public APIs.

  • by Anonymous Coward

    To get people's consent.

  • by JoeyRox ( 2711699 ) on Tuesday August 22, 2017 @02:48PM (#55064977)
    In lawsuits, and deservedly so.
  • by GodfatherofSoul ( 174979 ) on Tuesday August 22, 2017 @03:01PM (#55065079)

    So, went on an eclipse mini-vacation and I guess drove near the vicinity of a some trigger point. The caller was asking for another name, but still proceeded to sell me a pitch for a vacation spot I had "driven past." Now, was it my credit card company, the cell phone company, or the data-only account on my tablet who was responsible for leaking my location in real time to a vendor?

    • by Anonymous Coward

      Possibly all three with an AI mediated auction to see which one was allowed to sell you out first. Welcome to the future; it was yesterday.

    • by DogDude ( 805747 )
      All of those industries do those things (legally). It was probably a combination of all three.
    • To a certain degree, it doesn't matter which it was. Your phone is clearly leaking data to somebody, and you probably want to fix that.

      If you're running Android and have updated to a reasonably recent version of Google Maps, then that's probably your problem. They added a "feature" to allow this. If that's the cause, they did also add a new option to disable it, or (better) you can disable location services, or (best) you can uninstall the app entirely.

    • My family travels with smart phones, but we don't use those sorts of apps. We don't get that sort of spam.

      The stuff that leaks from credit card usage doesn't give out your info, but if you use third party banking apps those are unregulated and can do anything with your data without telling you. That's why I only use mobile banking provided directly by my bank.

      The reality is that any app that asks for permission to know your location is a suspect. If you install apps with that permission, and they also ask f

  • No shock (Score:5, Interesting)

    by bloodstar ( 866306 ) <blood_star@@@yahoo...com> on Tuesday August 22, 2017 @03:04PM (#55065095) Journal
    After all accuweather had previously tried to convince Congress to gut the NWS so they could make money: http://www.politico.com/story/... [politico.com] So the idea that Accuweather would do something shady isn't without precedent.
  • by bobstreo ( 1320787 ) on Tuesday August 22, 2017 @03:11PM (#55065151)

    DROP TABLE location;

  • I got much better battery life after I removed the AccuWeather app from my phone (months ago). I thought it was doing something other than downloading ads all day.

    • You can block specific apps (or all apps) from running in the background on iOS...

      • by Gr8Apes ( 679165 )
        Yep, and at this point, I don't believe I allow any to run in background mode. There's nothing so significant that I need to track other than via the iOS supported notifications.
  • by JohnFen ( 1641097 ) on Tuesday August 22, 2017 @03:27PM (#55065249)

    we take privacy issues very seriously," the spokesperson said. "We work to have our [terms of service and agreements] as current as the law is evolving and often beyond that which may be legally required to protect the privacy of our users."

    If you're only doing what's "legally required", then you aren't, in fact, taking privacy issues "very seriously".

    • "and often beyond that which may be legally required"

      lol, dumbfuck. lrn2read.

      (yes, they're probably lying about that too, but your "analysis" is just sad. +4, Insightful? what is this, a cable news channel?)

  • Google should ban the app for this deception.
  • Seriously, accuweather is about the WORST forecast going.
    Only idiots or some robot would mod them up to a 4 star.
    • Seriously, accuweather is about the WORST forecast going.
        Only idiots or some robot would mod them up to a 4 star.

      I use Weather Pro. Granted it's an app that you have to buy, but it's been very accurate for me. I was on vacation in north eastern Canada and the weather that it predicted for at least the next 48 hours was the weather that we got. The northeast is notorious for it's unpredictable weather.

  • Just sayin' (Score:4, Insightful)

    by jabberw0k ( 62554 ) on Tuesday August 22, 2017 @03:49PM (#55065427) Homepage Journal
    Stallman was right after all.
  • As I just deleted accuweather form my phone., I'd appreciate suggestions for replacing it!
    • If you are looking for the best recommendation that won't slurp your info in some way or another, it would be best to look out the window.

  • by c-A-d ( 77980 ) on Tuesday August 22, 2017 @04:12PM (#55065599)

    I don't install apps when a web page is sufficient.

  • Samsung is Worse (Score:4, Interesting)

    by Thelasko ( 1196535 ) on Tuesday August 22, 2017 @04:36PM (#55065803) Journal
    Samsung phones come with a crippled version of AccuWeather installed by default. It's integrated into the firmware and difficult to remove. Does that version track you too?
    • Re:Samsung is Worse (Score:4, Interesting)

      by JohnFen ( 1641097 ) on Tuesday August 22, 2017 @04:59PM (#55065967)

      If you're using Ice Cream Sandwich or later then you can disable any app, even the ones that carriers make uninstallable. You can also root the thing and physically delete the app from storage.

  • by Rick Schumann ( 4662797 ) on Tuesday August 22, 2017 @04:45PM (#55065875) Journal
    Just go to Weather Underground [wunderground.com] instead, you don't need an 'app'. Or if you think that's too commercial and you're going to get tracked, then just go to the National Weather Service [weather.gov]. Seriously, you don't need an 'app' for everything.
    • by mjwx ( 966435 )

      Just go to Weather Underground [wunderground.com] instead, you don't need an 'app'. Or if you think that's too commercial and you're going to get tracked, then just go to the National Weather Service [weather.gov]. Seriously, you don't need an 'app' for everything.

      This, for the love of whatever deity or holy person you worship, this.

      OK, I'm on Android, the web browser works well so I tend not to see the cause to have an App and a half for every web service I access. Not sure about IOS, I like to maintain my standards.

      I can think of three reasons you'd use an app over a web service.

      1. You need content offline. 99% of my web services require live results (I.E. bank, weather, news).

      2. You need access to local compute resources or hardware that is not accessible remotely

  • It's gonna have heavy lawsuit rain tomorrow. Consider getting a lawyer before leaving home.
  • its forced onto you by just about every device maker in the universe, if you actually sit down and LOOK at it, succuweather is highly inaccurate and almost useless

    for instance glancing at succuweather, on my phone its 10 degrees cooler than weather undergound, weather.com, google, and my local news station which are all in 1 degree of each other. Lot of fat fucking good it does me to know what the weather was ... 5 hours ago

  • by Anonymous Coward

    How can any smartphone app ignore system settings?
    Aren't they running in sandbox?
    Aren't they run buy a virtual machine?
    Isn't that virtual machine doing any security policy checks on the app instructions to be run?

In order to get a loan you must first prove you don't need it.