Popular Weather App AccuWeather Caught Sending User Location Data, Even When Location Sharing is Off (zdnet.com) 124
Zack Whittaker, reporting for ZDNet: Popular weather app AccuWeather has been caught sending geolocation data to a third-party data monetization firm, even when the user has switched off location sharing. AccuWeather is one of the most popular weather apps in Apple's app store, with a near perfect four-star rating and millions of downloads to its name. But what the app doesn't say is that it sends sensitive data to a firm designed to monetize user locations without users' explicit permission. Security researcher Will Strafach intercepted the traffic from an iPhone running the latest version of AccuWeather and its servers and found that even when the app didn't have permission to access the device's precise location, the app would send the Wi-Fi router name and its unique MAC address to the servers of data monetization firm Reveal Mobile every few hours. That data can be correlated with public data to reveal an approximate location of a user's device. We independently verified the findings, and were able to geolocate an AccuWeather-running iPhone in our New York office within just a few meters, using nothing more than the Wi-Fi router's MAC address and public data.
WiFi Router Name? (Score:1)
Re: (Score:1)
MAC address (unique to every network interface), not SSID. MAC address is contained in the IP packet, and is not private information. If you/your router has communicated with any server, that server can record its MAC address, and assign it with a geographic location your phone has already transmitted prior, or use an estimate location (i.e. whatismyipaddress.com).
Re:WiFi Router Name? (Score:5, Informative)
That is incorrect. Your MAC address is not contained in the IP Packet. MAC is a layer 2 addressing system while IP is layer 3. The only way for your MAC address to be shared via Layer 3 is if some application has accessed the OSI stack and pulled MAC information from that and then explicitly sent it to a server as part of a payload.
Re: (Score:3)
Just to be a jerk I'll mention the IPv6 EUI-64 format address. That is layer 3, or as layer 3 as IP gets.
Re: (Score:2)
Which is why the privacy extensions were added to IP6 where the MAC address may be replaced with a random address.
Re: (Score:1)
The MAC address is absolutely NOT contained in a Layer 3 IP packet. It is contained in the Layer 2 Ethernet Frame, which is NOT routed. The MAC address is only visible to on-device API's and the Layer 2 peer you are connected to. (upstream router, switch, etc.) Carry on.
Re: (Score:3)
This obviously needs to be locked behind a permission prompt like location is. *sigh* This is why we can't have nice things....
Re: (Score:2)
But if the access point MAC is not protected by a permission, there is no breach. The app only sends data that Android doesn't protect in any way, so it's public data. That location can be inferred from other things than GPS is not a surprise.
Did you reply to the wrong comment? I never used the word breach, nor did I imply it. Also on Android (not sure what versions) it IS protected by a permission (or at least the SSID is, not positive on the MAC). It's iOS that doesn't protect it (which is surprising since usually it's the other way around in cases like this). However just because it's not protected doesn't mean that using it in this way does not violate the Apple developer agreement. There are plenty of things an app can do that are agains
Deleted (Score:2)
Damnit! I really like the AccuWeather app.
Now it's uninstalled.
Is it really so hard to make money with an app that user data has to be stolen to make a profit?
Re: (Score:3)
No VC will touch a business unless it sucks data, slings ads, or both.
Re: (Score:2)
Which is part of why VCs are actively harmful to society at large.
Re: (Score:2)
Don't worry, most of them will be wiped out in the next 5 years.
They knew this, even in Hollywood back in 1987:
(in regards to a company being labeled a sure thing)
"No such thing except death and taxes. No fundamentals, not a good company any more. What's going on, Bud? You know something? Remember there are no shortcuts, son. Quick buck artists come and go with every bull market, but the steady players make it through the bear market. You're a part of something here, Bud. The money you make for people creat
Re: (Score:2)
That makes zero sense.
Re: (Score:2)
They are richer than you, so they must have abandoned even the pretense of morals or conscience and just did whatever their selfish little black hearts desired.
Fixed that for you, AC.
Re: (Score:2)
If it turns out that it isn't possible, there are also open source apps, and weather is always going to be available over public APIs.
Re: (Score:3, Insightful)
Display ads, don't steal user data.
Re: (Score:2)
The Weather Channel app displays ads; and, while the app could stand a bit of UI tweaking in my opinion, their forecasts are supposedly top-notch (according to Professor Cliff Mass).
Re: (Score:2)
Display ads, don't steal user data.
...and offer me an option to buy an ad-free version. If your product is worth it, I will gladly pay a reasonable amount to get rid of the ads.
Re: (Score:2)
I don't mind ads as long as they're well-behaved. My problem is the tracking that comes with them. There are an awful lot of apps (and websites) that allow you to pay money to disable ads, but the tracking continues to take place anyway.
Re: (Score:3)
Get the Android version and it does offer a paid for ad-free version - AccuWeather Platinum.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
If they're trying to ignore privacy laws? Yes I am.
Re: (Score:2)
Display ads, don't steal user data.
Ads don't generate sufficient revenue and the race to bottom on app pricing means selling them for 99c doesn't generate enough turnover to support them.
Re: (Score:2)
My pay check doesn't generate sufficient revenue and the HB-1 salaries means my yearly salary doesn't generate enough to support me. So I'll just steal from everyone instead.
How stupid does that sound? Because that's what you just said when defending those assholes.
Re: Why is this surprising? (Score:2)
Re: (Score:1)
Re: (Score:2)
The copy of Accuweather I use is paid... Definitely not a freebie. In any case, the app is history for now.
Re: (Score:1)
The copy of Accuweather I use is paid... Definitely not a freebie. In any case, the app is history for now.
You should also ask Apple to refund your app purchase price.
Only sound they'll respect is money flowing out of their account
Re: (Score:2)
That's fine -- but in this case, the app is intentionally circumventing the user's express wishes and giving the impression that the user's wishes are being honored.
That's deceptive. An honest app would just refuse to run until you gave it the permissions that it demands. It wouldn't engage in hacks like this.
Selling your data is too valuable (Score:1)
To get people's consent.
That free app going to cost AccWeather a fortune (Score:5, Funny)
Re: (Score:2)
https://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy/enforcing-privacy-promises [ftc.gov]
Re: (Score:1)
OT got the wierdest cell phone cold call yesterday (Score:3, Interesting)
So, went on an eclipse mini-vacation and I guess drove near the vicinity of a some trigger point. The caller was asking for another name, but still proceeded to sell me a pitch for a vacation spot I had "driven past." Now, was it my credit card company, the cell phone company, or the data-only account on my tablet who was responsible for leaking my location in real time to a vendor?
Re: (Score:1)
Possibly all three with an AI mediated auction to see which one was allowed to sell you out first. Welcome to the future; it was yesterday.
Re: (Score:2)
Re: (Score:2)
To a certain degree, it doesn't matter which it was. Your phone is clearly leaking data to somebody, and you probably want to fix that.
If you're running Android and have updated to a reasonably recent version of Google Maps, then that's probably your problem. They added a "feature" to allow this. If that's the cause, they did also add a new option to disable it, or (better) you can disable location services, or (best) you can uninstall the app entirely.
Re: (Score:2)
My family travels with smart phones, but we don't use those sorts of apps. We don't get that sort of spam.
The stuff that leaks from credit card usage doesn't give out your info, but if you use third party banking apps those are unregulated and can do anything with your data without telling you. That's why I only use mobile banking provided directly by my bank.
The reality is that any app that asks for permission to know your location is a suspect. If you install apps with that permission, and they also ask f
No shock (Score:5, Interesting)
Change your router name to (Score:5, Funny)
DROP TABLE location;
Re: (Score:2)
Because we may all be needing our own Bobby Tables [xkcd.com] soon...
Although
HOME)`; DROP DATABASE msdb; --
might be more fun to watch.
Better battery life (Score:1)
I got much better battery life after I removed the AccuWeather app from my phone (months ago). I thought it was doing something other than downloading ads all day.
Re: (Score:2)
You can block specific apps (or all apps) from running in the background on iOS...
Re: (Score:1)
They can't even see their own lie (Score:4, Insightful)
we take privacy issues very seriously," the spokesperson said. "We work to have our [terms of service and agreements] as current as the law is evolving and often beyond that which may be legally required to protect the privacy of our users."
If you're only doing what's "legally required", then you aren't, in fact, taking privacy issues "very seriously".
Re: (Score:2)
What is legally required is inadequate. That's why I say that if all you are doing is meeting the legal requirements, you aren't taking the issue seriously.
Re: (Score:2)
"and often beyond that which may be legally required"
lol, dumbfuck. lrn2read.
(yes, they're probably lying about that too, but your "analysis" is just sad. +4, Insightful? what is this, a cable news channel?)
Could this violate stalking laws? (Score:2)
Re: (Score:1)
Google runs Apple's app store now?
Re: (Score:1)
if that is a 4 star, then things are bad (Score:2)
Only idiots or some robot would mod them up to a 4 star.
Re: (Score:2)
Seriously, accuweather is about the WORST forecast going.
Only idiots or some robot would mod them up to a 4 star.
I use Weather Pro. Granted it's an app that you have to buy, but it's been very accurate for me. I was on vacation in north eastern Canada and the weather that it predicted for at least the next 48 hours was the weather that we got. The northeast is notorious for it's unpredictable weather.
Just sayin' (Score:4, Insightful)
Thanks. Any weather app recommendations? (Score:1)
Re: (Score:2)
If you are looking for the best recommendation that won't slurp your info in some way or another, it would be best to look out the window.
Yet another reason (Score:3)
I don't install apps when a web page is sufficient.
Samsung is Worse (Score:4, Interesting)
Re:Samsung is Worse (Score:4, Interesting)
If you're using Ice Cream Sandwich or later then you can disable any app, even the ones that carriers make uninstallable. You can also root the thing and physically delete the app from storage.
Re: (Score:1)
Settings->applications
Select the application and tap "disable". Probably want to force close it too.
Skip weather 'apps', just go to Wundergound (Score:4, Interesting)
Re: (Score:2)
Just go to Weather Underground [wunderground.com] instead, you don't need an 'app'. Or if you think that's too commercial and you're going to get tracked, then just go to the National Weather Service [weather.gov]. Seriously, you don't need an 'app' for everything.
This, for the love of whatever deity or holy person you worship, this.
OK, I'm on Android, the web browser works well so I tend not to see the cause to have an App and a half for every web service I access. Not sure about IOS, I like to maintain my standards.
I can think of three reasons you'd use an app over a web service.
1. You need content offline. 99% of my web services require live results (I.E. bank, weather, news).
2. You need access to local compute resources or hardware that is not accessible remotely
What's tomorrow's weather? (Score:1)
its not popular (Score:2)
its forced onto you by just about every device maker in the universe, if you actually sit down and LOOK at it, succuweather is highly inaccurate and almost useless
for instance glancing at succuweather, on my phone its 10 degrees cooler than weather undergound, weather.com, google, and my local news station which are all in 1 degree of each other. Lot of fat fucking good it does me to know what the weather was ... 5 hours ago
How this is still possible today? (Score:1)
How can any smartphone app ignore system settings?
Aren't they running in sandbox?
Aren't they run buy a virtual machine?
Isn't that virtual machine doing any security policy checks on the app instructions to be run?
Re: (Score:2)
Ah, there you are. Where did you go? On a fucking vacation? We need to see your pointless crap at the start of each thread otherwise it doesn't feel like Slashdot anymore.
Anyway, welcome back.
Re: (Score:2)
I would have thought that stories like this expose the deeply insightful nature of his frivolous-sounding blather.
I'm enough of a LUDDITE that I don't app apps, and I use a regular website to access weather information; even from a mobile device.
You don't need a hoverboard for each foot to garden in the rain, you just needs some good clogs.
And if did want to use an app, it would be open source.
Re: (Score:1)
I'm still trying to figure out why people download and install executables to do simple tasks that I do in a web browser.
I blame the stupid Apple ad telling us "There's an App for that"
Re: (Score:2)
In terms of security, I don't think there's much difference between using the browser and using the app.
Re: (Score:1)
For the few websites I browse on my phone they're constantly asking me to install their application instead. There is no way to block these messages because the host benefit from apps far more than a website visit.