Dozens of iPhone Apps 'Constantly' Sending Location Data to Data Monetization Firms

[MacRumors]

Dozens of popular iPhone apps are sharing the location data of millions of mobile devices with third-party data monetization firms, according to a group of security researchers called GuardianApp (via TechCrunch).

The apps in question are mostly news, weather, and fitness apps that require access to location data to work properly, but then share that data to earn money.

According to security researchers, the apps send both precise location and other sensitive customer data to data monetization companies "at all times, constantly" sometimes without customers being aware of the location data collection. The information is used for purposes like creating databases for ad targeting.

Researchers used tools to monitor network traffic to discover apps collecting Bluetooth LE data, GPS longitude and latitude, WiFi SSIDs, accelerometer information, battery charge percentage, location arrival/departure timestamps, and more.

While the apps say that personally identifiable information is not included in the data collection, one of the researchers, Will Strafach, told TechCrunch that latitude and longitude coordinates can provide information on a person's home or work. Many customers who agree to provide apps with location data may not be aware of the extent of the information being collected and shared.

Apps that were found to be collecting location info and sending it to data monetization firms include ASKfm, NOAA Weather Radar, Homes.com, Perfect365, C25K 5K Trainer, Classifieds 2.0 Marketplace, GasBuddy, Photobucket, Roadtrippers, Tapatalk, and more, with a full list available on the site.

The data is being sent to companies that include Reveal, Sense360, Cuebiq, Teemo, Mobiquity, and Fysical. These companies denied wrongdoing, suggested customers were able to opt out at any time, and said that developers are required to inform customers about the data collection.

Some of the apps in question do indeed have clear data collection notices when opening them up for the first time, but data monetization firms do not make sure apps are following disclosure policies and not all do.

"None of these companies appear to be legally accountable for their claims and practices, instead there is some sort of self-regulation they claim to enforce," said Strafach.

iPhone users who want to avoid having their location data shared with data monetization firms should be wary of the third-party apps they install that are using location services. Limiting ad tracking in Privacy settings by going to Privacy > Advertising is recommended.

GuardianApp also suggests users use a generic name for router SSIDs and turn off Bluetooth functionality when Bluetooth is not in use.

Article Link: Dozens of iPhone Apps 'Constantly' Sending Location Data to Data Monetization Firms

 

[fumi2014]

I didn't think Apple allowed this sort of thing.

 

[Apple_Robert]

I don't use any of the apps in question.

The linked article would carry more weight, if it was more than an advertisement for Guardian's new VPN app.

 

[schrodinger_cat]

iOS Settings in Privacy > Advertising regulates only Apple Advertisement platform, no?

 

[SandboxGeneral]

A lot of this crap can be minimized with the use of Pi-Hole.

 

[Justim]

This is the smartest marketing for a VPN I’ve seen yet. Bravo to them for getting in the news, calling out other companies’ shady practices, and building themselves up as a brand you can trust.

 

[DeepIn2U]

Jump to 0:48 on Privacy "extremely seriously" in particular about location data.

I hate to say this but a LOT of certain policies have been DROPPED at the helm of iOS and Apps things gotta get better.

 

[macfacts]

So privacy on iOS is fake

 

[coumerelli]

GuardianApp also suggests users use a generic name for router SSIDs and turn off Bluetooth functionality when Bluetooth is not in use.

Bluetooth is always required with an Apple Watch. Hardly a practical recommendation.

 

[itsmilo]

Of course. Not just that. With tools like clevertap I can even see what each user (by name if you have a registration process inside your app) clicks on inside the app and how many times on any given day. You can even see the battery status and random stuff like that

 

[zorinlynx]

The best way to be able to still use some of these apps (like Pay By Phone parking) that need your location to work well, but not share your location all the time, is to make sure Location Privacy is set to "While Using".

Any app that tries to keep using your location in the background when set to "While Using" will pop up a big blue banner saying "<app> is currently using your location." You can then remove the offending app, or at least kill it. Waze has this issue, but I suspect it's a longstanding bug and not intentional.

 

[MikeAnd]

The best way to be able to still use some of these apps (like Pay By Phone parking) that need your location to work well, but not share your location all the time, is to make sure Location Privacy is set to "While Using".

Yes, at the risk of stating the obvious, for most apps there is a huge difference between granting Location Services access "While Using" versus "Always." For example, I do use GasBuddy, but I'm not too concerned about it because I set Location Services to "While Using," and I only fire it up once a month. There are virtually no third-party apps on my phone that I grant "Always" access to.

You can then remove the offending app, or at least kill it. Waze has this issue, but I suspect it's a longstanding bug and not intentional.

Ironically, the Waze UI is so bad that "just kill the app (and relaunch it from scratch)" is my default technique for navigating through the app.

 

[weup togo]

iOS and tvOS apps are an absolute cesspool of surveillance and tracking. Every article you've read about how bad web pages are? Apps are even worse, and Apple's platforms are no exception whatsoever.

If you're not running https://pi-hole.net for your entire LAN, your bare ass is hanging in the wind every time you power up a device.

 

[SandboxGeneral]

A lot of this crap can be minimized with the use of Pi-Hole.

iOS and tvOS apps are an absolute cesspool of surveillance and tracking. Every article you've read about how bad web pages are? Apps are even worse, and Apple's platforms are no exception whatsoever.

If you're not running https://pi-hole.net for your entire LAN, your bare ass is hanging in the wind every time you power up a device.

I just added all the hostnames listed on the Guardian Mobile Firewall page ( https://guardianapp.com/ios-app-location-report-sep2018.html ) referenced in this article into my Pi-Hole blacklist.

Here are my top blocked domains right now.

 

[redneckitengineer]

I’m glad I gave up GasBuddy yrs ago when I bought an electric car. Otherwise I’ve got none of those.

 

[Elijen]

A lot of this crap can be minimized with the use of Pi-Hole.

On iOS? How?

 

[SandboxGeneral]

On iOS? How?

It's not on iOS. It's a network thing. You set up Pi-Hole on your network and point all DNS to it and it takes care of all this crap and more.

it can even be setup using OpenVPN to filter your DNS even when on cellular networks.

I'm blocking over 1.2 million domains with mine.

 

[Scottsoapbox]

What is a "generic name for router SSID"? WiFi?

 

[JosephAW]

We used to be able to monitor background applications up to iOS 8. Example when I installed the Red Cross app it was running a secondary process all the time transmitting your location even when switched off. I deleted the app and the background app went away after reboot.
Apple solved this problem of users knowing what apps are running in the background by denying utility apps for listing or monitoring them so now that I'm on iOS 10 I can't see what other apps are doing. Thanks. Apple.

 

[KGB7]

Goodbye gasbuddy, I never used you anyways.

 

[fairuz]

Bluetooth is always required with an Apple Watch. Hardly a practical recommendation.

I have nothing that uses Bluetooth, so I keep it off mainly for the power, but there are always vulnerabilities found in Bluetooth from time to time. I wouldn't consider it a big risk; haven't heard of any big exploits of iPhones through BT.

IDK why they say to use generic wifi SSIDs.
[doublepost=1536365744][/doublepost]

The best way to be able to still use some of these apps (like Pay By Phone parking) that need your location to work well, but not share your location all the time, is to make sure Location Privacy is set to "While Using".

Any app that tries to keep using your location in the background when set to "While Using" will pop up a big blue banner saying "<app> is currently using your location." You can then remove the offending app, or at least kill it. Waze has this issue, but I suspect it's a longstanding bug and not intentional.

Definitely never give "always on" location to anything except maybe Google Maps. On top of that I always kill apps rather than letting them background. Besides power usage, I'd rather not keep track of what the privacy settings do exactly and just give them zero chance instead. Apps can wake up for a variety of reasons if they're not killed.

 

[dannyyankou]

I’ve always preferred using full forum website over Tapatalk anyway. I’m deleting it.

 

[DipDog3]

I just added all the hostnames listed on the Guardian Mobile Firewall page ( https://guardianapp.com/ios-app-location-report-sep2018.html ) referenced in this article into my Pi-Hole blacklist.

Here are my top blocked domains right now.
View attachment 780196

Wow, I am blocking 40% of traffic on my pi-hole. Of course I have a couple of Amazon Fire Tablets & they are always trying to phone home.

 

[SandboxGeneral]

Wow, I am blocking 40% of traffic on my pi-hole. Of course I have a couple of Amazon Fire Tablets & they are always trying to phone home.

Keep in mind that statistic on the front page of Pi-Hole only shows the past 24 hours of usage. Mine is low right now because I haven't been online too much recently.

 

[JackANSI]

How anyone is surprised this is happening on iOS as well as android in this day and age puzzles me...