iOS Apps Caught Selling Location Data from Tens of Millions of Devices

The development team behind the GuardianApp mobile firewall and VPN app reports that an increasing number of iOS applications are in the practice of gathering and selling location data from millions of iOS devices.

The researchers' report says that all iOS apps found to exhibit this behavior collect GPS coordinates, Bluetooth LE beacon data, and Wi-Fi SSID and BSSID information.

Moreover, there are also a lot of them in the habit of also pocketing some extra device data such as accelerometer Information, IDFA advertising identifiers, battery charge, cellular network info, GPS altitude and/or speed, as well as location arrival/departure timestamps.

While collecting this type of data is reasonable for most of the apps found to do it seeing that they request permission to do it and do have valid reasons for it, the problem lies in the fact that none of them will let users know that their data will be shared for monetary gains.

According to the GuardianApp team, "the apps usually present a plausible justification relevant to the app in the Location Services permission dialog, often with little or no mention of the fact that location data will be shared with third-party entities for purposes unrelated to app operation."

The misbehaving iOS apps might risk expulsion from the App Store for breaking the guidelines
The apps' behavior is even more problematic given that they've all passed Apple's review process while the company's App Store Review Guidelines explicitly say that sharing user data with third parties without the user's consent is expressly forbidden.

Guardian researchers' report provides a list of 24 apps that use data collection frameworks designed by monetization companies and "12 known location data monetization businesses."

The article also lists over 100 different examples of local/regional news applications that previously featured code from the RevealMobile monetization firm involved in last year's Accuweather data selling scandal.

The researchers also provide possible mitigations for the apps' users which require them to turn on the "Limit Ad Tracking" option in Settings > Privacy > Advertising.

Moreover, users should not allow any Location Services permission dialogs containing "privacy policy," use generic names for the Wi-Fi's SSID, and turn off the Bluetooth when it's not needed.
 

Comments