Sean Gallagher* says research has confirmed that dozens of iOS apps are surreptitiously sharing users’ location data with firms that market tracking information.
Image: metamorworks
During preparation for a workshop at DEF CON in August on locating privacy leaks in network traffic, we discovered a number of applications on both iOS and Android that were broadcasting precise location data back to the applications’ developers — in some cases in unencrypted formats.
Research released earlier this month by Sudo Security’s Guardian mobile firewall team provided some confirmation to our findings — and demonstrated that many apps are sharing location data with firms that market location data information without users’ knowledge.
In a blog post entitled “Location Monetisation in iOS Apps,” the Guardian team detailed 24 applications from the Apple iOS App Store that pushed data to 12 different “location-data monetisation firms” — companies that collect precise location data from application users for profit.
The 24 identified applications were found in a random sampling of the App Store’s top free applications, so there are likely many more apps for iOS surreptitiously selling user location data.
Additionally, the Guardian team confirmed that one data-mining service was connected with apps from over 100 local broadcasters owned by companies such as Sinclair, Tribune Broadcasting, Fox, and Nexstar Media.
While some of these applications use location data from various sources as part of their service — several were weather applications, and one was a fitness tracker — others use location mostly “for providing you more relevant ads.”
None explicitly stated that data was being shared with a third party.
GPS-based location services can be managed relatively easily on iOS devices and can be turned off completely for specific applications or in general.
It’s also possible in iOS to limit ad tracking under iOS Privacy settings.
But other methods of geolocation, including tracking nearby Wi-Fi networks and Bluetooth Low Energy (BLE) beacons, are less obvious — but potentially even more accurate.
The applications identified by the Guardian team — some of them repackaged under multiple names for broadcasters’ mobile apps — passed along some or all of these types of geolocation information and in some cases collected:
- Accelerometer information (X-axis, Y-axis, Z-axis)
- The iOS device’s unique Advertising Identifier (IDFA)
- Battery-charge per centage and status (Battery or USB Charger)
- The cellular network’s mobile country code (MCC) and mobile network code (MNC)
- The name of the cellular network
- GPS altitude and/or speed
- Timestamps for arrival and departure at a specific location.
Data points like these are used by firms such as InMarket to track retailers that an app user has visited (or stopped visiting).
Cellular network data can be used for geolocation on its own, and other aspects of the device can be used to “fingerprint” the user across applications, as well as monitor behaviour in certain locations.
Ars Technica was able to confirm samplings of Sudo Security’s data independently.
In addition to these sorts of revenue-generating location-data leaks, we found some iOS applications using location data for legitimate purposes that were leaking location data in plain text API requests.
For example, while Weather Underground’s Wunderground application passes a great deal of its data using TLS encryption, the app sends precise coordinates for latitude and longitude that could be used to calculate the app user’s position as part of an unencrypted HTTP request to the application’s server.
* Sean Gallagher is Ars Technica’s IT and National Security Editor. He tweets at @thepacketrat.
This article first appeared at arstechnica.com.
