Dozens of iPhone Apps 'Constantly' Sending Location Data to Data Monetization Firms

Dozens of popular iPhone apps are sharing the location data of millions of mobile devices with third-party data monetization firms, according to a group of security researchers called GuardianApp (via TechCrunch).

The apps in question are mostly news, weather, and fitness apps that require access to location data to work properly, but then share that data to earn money.


According to security researchers, the apps send both precise location and other sensitive customer data to data monetization companies "at all times, constantly" sometimes without customers being aware of the location data collection. The information is used for purposes like creating databases for ad targeting.

Researchers used tools to monitor network traffic to discover apps collecting Bluetooth LE data, GPS longitude and latitude, WiFi SSIDs, accelerometer information, battery charge percentage, location arrival/departure timestamps, and more.

While the apps say that personally identifiable information is not included in the data collection, one of the researchers, Will Strafach, told TechCrunch that latitude and longitude coordinates can provide information on a person's home or work. Many customers who agree to provide apps with location data may not be aware of the extent of the information being collected and shared.

Apps that were found to be collecting location info and sending it to data monetization firms include ASKfm, NOAA Weather Radar, Homes.com, Perfect365, C25K 5K Trainer, Classifieds 2.0 Marketplace, GasBuddy, Photobucket, Roadtrippers, Tapatalk, and more, with a full list available on the site.

The data is being sent to companies that include Reveal, Sense360, Cuebiq, Teemo, Mobiquity, and Fysical. These companies denied wrongdoing, suggested customers were able to opt out at any time, and said that developers are required to inform customers about the data collection.

Some of the apps in question do indeed have clear data collection notices when opening them up for the first time, but data monetization firms do not make sure apps are following disclosure policies and not all do.
"None of these companies appear to be legally accountable for their claims and practices, instead there is some sort of self-regulation they claim to enforce," said Strafach.
iPhone users who want to avoid having their location data shared with data monetization firms should be wary of the third-party apps they install that are using location services. Limiting ad tracking in Privacy settings by going to Privacy > Advertising is recommended.

GuardianApp also suggests users use a generic name for router SSIDs and turn off Bluetooth functionality when Bluetooth is not in use.


Top Rated Comments

(View all)
Avatar
10 weeks ago
I didn't think Apple allowed this sort of thing.
Rating: 16 Votes
Avatar
10 weeks ago
The best way to be able to still use some of these apps (like Pay By Phone parking) that need your location to work well, but not share your location all the time, is to make sure Location Privacy is set to "While Using".

Any app that tries to keep using your location in the background when set to "While Using" will pop up a big blue banner saying "<app> is currently using your location." You can then remove the offending app, or at least kill it. Waze has this issue, but I suspect it's a longstanding bug and not intentional.
Rating: 11 Votes
Avatar
10 weeks ago
I don't use any of the apps in question.

The linked article would carry more weight, if it was more than an advertisement for Guardian's new VPN app.
Rating: 10 Votes
Avatar
10 weeks ago

The best way to be able to still use some of these apps (like Pay By Phone parking) that need your location to work well, but not share your location all the time, is to make sure Location Privacy is set to "While Using".


Yes, at the risk of stating the obvious, for most apps there is a huge difference between granting Location Services access "While Using" versus "Always." For example, I do use GasBuddy, but I'm not too concerned about it because I set Location Services to "While Using," and I only fire it up once a month. There are virtually no third-party apps on my phone that I grant "Always" access to.

You can then remove the offending app, or at least kill it. Waze has this issue, but I suspect it's a longstanding bug and not intentional.


Ironically, the Waze UI is so bad that "just kill the app (and relaunch it from scratch)" is my default technique for navigating through the app.
Rating: 7 Votes
Avatar
10 weeks ago
So privacy on iOS is fake
Rating: 6 Votes
Avatar
10 weeks ago

Would you mind explaining all this in a bit more detail? Not familiar with much of what you’re talking about.


Only for Linux!?
More like a Question, can this be done by running Linux in a VM on my Mac and then use that one to set the DNS.
This seems to me a bit geeky if you ask me.
I do have a second generation Raspberry Pi, would that work, is there any non geeky way to set this up, most of the time if you go to those sites explaining this stuff makes it too hard for non geeks.
I am by no means a dummy but networking is not easy at all.

Yup, I too would like to know more about it, seems like you need some kind f Linux distribution to get this to work.

Pi-Hole can be set up on Linux or Raspbian. If you use Linux, don't run it on Ubuntu LTS 18.04 because it isn't yet supported.

I've tested and run it on a Raspberry Pi (Raspbian OS), Ubuntu 16.04 LTS on a Dell Optiplex 990 and I've run it in a VM (virtual machine) under Ubuntu in VMware Fusion on a Mac Mini. Currently I'm just using the Raspbery Pi as the DNS server, or Pi-Hole.

All you have to do once set up is to tell your WiFi router/access point and/or firewall to use the IP address of the Pi-Hole for it's DNS. You can also manually set each device, phone, tablet, PC, laptop et al. to point to the Pi-Hole for it's DNS.

Once you get it setup then you can add curated blocklists to the 'gravity service' of Pi-Hole and it imports all those domains on the list into your Pi-Hole for blocking. You can also blacklist and whitelist domains as needed too. There will always be some false-positives or sites that are blocked that you don't want blocked and once you square off those rough edges its smooth sailing.

Here are some sites that I get most of my block lists from:

* https://firebog.net/
* https://blog.cryptoaustralia.org.au/2017/11/15/favourite-block-lists-cryptoaustralia/
* https://github.com/StevenBlack/hosts
* https://discourse.pi-hole.net/t/to-completely-block-facebook-blocklist-facebook-domains/8141

Here is the Raspbery Pi hardware I'm using. https://www.amazon.com/gp/product/B01D92SSX6/ref=oh_aui_search_detailpage?ie=UTF8&psc=1

I'm happy to answer more questions if you have them. I love the Pi-Hole and never want to be on the Internet again without it.

Here is a video on the setup process.
[MEDIA=youtube]2Ib3o3OVIqI[/MEDIA]
Rating: 6 Votes
Avatar
10 weeks ago
Goodbye gasbuddy, I never used you anyways.
Rating: 5 Votes
Avatar
10 weeks ago
[MEDIA=youtube]39iKLwlUqBo[/MEDIA]

Jump to 0:48 on Privacy "extremely seriously" in particular about location data.

I hate to say this but a LOT of certain policies have been DROPPED at the helm of iOS and Apps things gotta get better.
Rating: 5 Votes
Avatar
10 weeks ago

GuardianApp also suggests users use a generic name for router SSIDs and turn off Bluetooth functionality when Bluetooth is not in use.


Bluetooth is always required with an Apple Watch. Hardly a practical recommendation.
Rating: 4 Votes
Avatar
10 weeks ago
It feels if Apple needs to both:

- Really audit app submissions and app updates and get a lot more rigorous and smarter about what it detects. And what it lets apps do
- Update iOS privacy controls. Many apps only require ‘write’ permissions to work regarding your info. At the moment, to use things like camera apps etc you have to trust that they are not harvesting your photos etc. I think that this is so important that it should be an update for this March with app developers told its happening before the end of this year.
Rating: 3 Votes
[ Read All Comments ]