AccuWeather’s iOS app may be up to something fishy. Security researcher Will Strafach published a warning about the popular weather app’s behavior on Medium and users appear to be paying attention.
According to Strafach’s Medium post, the AccuWeather app requests location permission from users not to provide customized location-based weather data but to send some quite specific geodata to a third-party company called RevealMobile. That includes:
- “Your precise GPS coordinates, including current speed and altitude.
- The name and “BSSID” of the Wi-Fi router you are currently connected to, which can be used for geolocation through various online services.
- Whether your device has bluetooth turned on or off.”
Notably, turning off location data for AccuWeather doesn’t do much to limit the app’s reach. As Strafach’s Medium post notes, “If you do not grant AccuWeather access to your GPS information, it will still send your Wi-Fi router name and BSSID, providing RevealMobile access to less precise location information regarding your device’s whereabouts. This practice by a different company appears to have previously caught the attention of the FTC.”
RevealMobile appears to specialize in mobile revenue and leveraging location data for ad targeting. “The value lies in understanding the path of a consumer and where they go throughout the day,” the company explains in a blog post on its homepage. “Traveling from home to work to retail to soccer practice to dinner is vital to knowing the customer, and represents the new opportunity of mobile location data.”
TechCrunch has reached out to AccuWeather for more insight and will update the story as it develops.
Update: AccuWeather sent TechCrunch the following statement.
Despite stories to the contrary from sources not connected to the actual information, if a user opts out of location tracking on AccuWeather, no GPS coordinates are collected or passed without further opt-in permission from the user.
Other data, such as Wi-Fi network information that is not user information, was for a short period available on the Reveal SDK, but was unused by AccuWeather. In fact, AccuWeather was unaware the data was available to it. Accordingly, at no point was the data used by AccuWeather for any purpose.
AccuWeather and Reveal Mobile are committed to following the standards and best practices of the industry. We also recognize this is a quickly evolving field and what is best practice one day may change the next. Accordingly, we work to update our practices regularly.
To avoid any further misinterpretation, while Reveal is updating its SDK, AccuWeather will be removing the Reveal SDK from its iOS app until it is fully compliant with appropriate requirements. Once reinstated, the end result should be that zero data is transmitted back to Reveal Mobile when someone opts out of location sharing. In the meanwhile, AccuWeather had already disabled the SDK, pending removal of the SDK and then later reinstatement.
Reveal has stated that the SDK could be misconstrued, and they assure that no reverse engineering of locations was ever conducted by any information they gathered, nor was that the intent.
AccuWeather will to update its practices, communications and ULAs to be transparent and current with evolving standards. AccuWeather and Reveal continue to enhance methods for handling data and strive to provide superior, seamless, and secure user experiences.
We are grateful to have a supportive community that highlights areas where we can optimize and be more transparent.