The development team behind the
GuardianApp mobile firewall and VPN app reports that an increasing
number of iOS applications are in the practice of gathering and selling
location data from millions of iOS devices.
The researchers' report says that all iOS apps found to exhibit this
behavior collect GPS coordinates, Bluetooth LE beacon data, and Wi-Fi
SSID and BSSID information.
Moreover, there are also a lot of them in the habit of also pocketing
some extra device data such as accelerometer Information, IDFA
advertising identifiers, battery charge, cellular network info, GPS
altitude and/or speed, as well as location arrival/departure timestamps.
While collecting this type of data is reasonable for most of the apps
found to do it seeing that they request permission to do it and do have
valid reasons for it, the problem lies in the fact that none of them
will let users know that their data will be shared for monetary gains.
According to the GuardianApp team, "the apps usually present a plausible
justification relevant to the app in the Location Services permission
dialog, often with little or no mention of the fact that location data
will be shared with third-party entities for purposes unrelated to app
operation."
The misbehaving iOS apps might risk expulsion from the App Store for breaking the guidelines
The apps' behavior is even more problematic given that they've all
passed Apple's review process while the company's App Store Review
Guidelines explicitly say that sharing user data with third parties
without the user's consent is expressly forbidden.
Guardian researchers' report provides a list of 24 apps that use data
collection frameworks designed by monetization companies and "12 known
location data monetization businesses."
The article also lists over 100 different examples of local/regional
news applications that previously featured code from the RevealMobile
monetization firm involved in last year's Accuweather data selling
scandal.
The researchers also provide possible mitigations for the apps' users
which require them to turn on the "Limit Ad Tracking" option in Settings
> Privacy > Advertising.
Moreover, users should not allow any Location Services permission
dialogs containing "privacy policy," use generic names for the Wi-Fi's
SSID, and turn off the Bluetooth when it's not needed.
Comments
Post a Comment