Smartphones store some of the most precious and personal data we have. Details of our daily routine, meetings, phone numbers, the email addresses of hundreds of people, usernames and passwords, location history courtesy of Google Maps (and other navigation software), detailed browsing and download history and usage statistics from every app installed on every mobile device. And everybody wants this data.
Many apps ask for permission to access our device’s storage, phonebook, camera and microphone and most ask for permission to access our location.
Collection of personal data is necessary, but...
It is true that the collection of personal data is necessary in many cases in order for apps to function as intended – for example you cannot use a navigation app without it allowing access to your location, or a photo editing app without allowing access to your camera and storage, or a chat app without allowing access to your phonebook – I think you get the picture.
The problem arises when these apps share this data with third parties without your knowledge, and more than two-thirds of all mobile apps (both iOS and Android apps) are sharing personal data with third-party companies.
Android being the worst culprit, with more than 75 percent of all apps sharing data with third-party companies. While these apps share all kinds of personal data, it is your location data that is most sought after. Why? Because of the rise of location-based advertising.
Around 40 percent of all mobile ad spending goes towards location-targeted ads. Google wants that data so much that the company tracked users even after they turned off their Location History. Some popular weather apps (those that need location data the most in order to function properly), like WeatherBug, are actually owned by location advertising companies.
So, it came as no great surprise when, yet another survey discovered a bunch of apps that were secretly sharing user location data with tracking firms.
“Location Data Monetization in iOS Apps”
This latest study comes from Sudo Security, the developers behind the upcoming Guardian mobile firewall and VPN app. Their security team discovered 24 iOS apps that are sharing location data with tracking firms and without notifying users.
They shared their findings in a report titled “Location Data Monetization in iOS Apps”. The interesting thing is that the study simply used random sampling technique – researchers picked random apps that are highly popular on the App Store, meaning there’s a high chance that other popular iOS apps are doing the exact same thing.
Among these guilty apps are weather providers, real-estate apps, navigation apps, apps that offer local discounts, in these cases using your location data can be justified. Other apps however, like AR beauty apps, code scanners, chat apps, photo storage apps, and voicemail apps do not require user location in order to function properly. But this didn’t stop them.
These IOS apps are found to be sharing location data with third-party tracking firms:
- ASKfm: Ask Anonymous Questions
- C25K 5K Trainer
- Classifieds 2.0 Marketplace
- Code Scanner by ScanLife
- Coupon Sherpa
- Moco - Chat, Meet People
- My Aurora Forecast
- MyRadar NOAA Weather Radar
- NOAA Weather Radar
- PayByPhone Parking
- QuakeFeed Earthquake Alerts
- ScoutLook Hunting
- SnipSnap Coupon App
- The Coupons App
- Weather Live - Local Forecast
- YouMail: Voicemail Upgrade
Some of these apps indirectly informed users that they might share data with third parties – notifying users their data might be used to help serve better ads. Others went a step further and explicitly stated that data might be shared with third parties. This was the case with NOAA weather apps and Mobiletag.
The majority however, made no effort to inform users that their private location information would be shared and merely listed reasons such as “improving some features” (ASKfm), “increased accuracy with voice alerts” (C25K 5K Trainer), showing users local listings and deals, or local gas prices (coupon apps and GasBuddy), finding nearby homes (Homes.com), meeting people nearby (Moco Chat), providing customized experience (Perfect365) in an effort to cover their asses. Some used no imagination, stating simply that location data was needed to provide accurate weather reports (used by most weather apps from the list).
None of the aforementioned apps explicitly stated that they might share user data with third-party firms or partners or that user data might be shared at all. In some case researchers found that apps shared data with more than one tracking firm and in fact they discovered the tracking codes of 12 tracking firms in total. Some of these location tracking codes ran at all times sending location data even if an app was not actively being used.
All of the 24 apps discovered used one or more location source such as BLE (Bluetooth Low Energy) beacon data, GPS Longitude and Latitude, Wi-Fi SSID (Network Name), and BSSID (Network MAC Address) for the purpose of collecting location data.
In addition to the aforementioned location data, some apps collected other forms of private data including:
- Accelerometer information (X-axis, Y-axis, Z-axis)
- The iOS device's unique Advertising Identifier (IDFA)
- Battery-charge percentage and status (Battery or USB Charger)
- The cellular network's mobile country code (MCC) and mobile network code (MNC)
- The name of the cellular network
- GPS altitude and/or speed
- Timestamps for arrival and departure at a specific location
These results are worrying but they are hardly surprising. It has been known for a very long time that many popular apps use location tracking for monetization purposes, as is evident in countless research and investigative articles.
Mobile apps from all operating systems are spying on us and sharing our location data! Five years ago, this might have been an alarming find but today it’s just old hat. What you, the user can do is block access to location data for all apps that do not explicitly need it, limit ad tracking in iOS (Settings > Privacy > Advertising and turn on Limit Ad Tracking) and keep your Bluetooth off unless actively using it. Simple steps that are more than worth taking.