Dozens of popular iPhone apps caught sending user location data to monetization firms

A group of security researchers say dozens of popular iPhone apps are quietly sharing the location data of “tens of millions of mobile devices” with third-party data monetization firms.

Almost all require access to a user’s location data to work properly, like weather and fitness apps, but share that data often as a way to generate revenue for free-to-download apps.

In many cases, the apps send precise locations and other sensitive, identifiable data “at all times, constantly,” and often with “little to no mention” that location data will be shared with third-parties, say security researchers at the GuardianApp project.

“I believe people should be able to use any app they wish on their phone without fear that granting access to sensitive data may mean that this data will be quietly sent off to some entity who they do not know and do not have any desire to do business with,” said Will Strafach, one of the researchers.

Using tools to monitor network traffic, the researchers found 24 popular iPhone apps that were collecting location data — like Bluetooth beacons to Wi-Fi network names — to know where a person is and where they visit. These data monetization firms also collect other device data from the accelerometer, battery charge status and cell network names.

In exchange for data, often these data firms pay app developers to collect data and grow their databases and often to deliver ads based on a person’s location history.

But although many claim they don’t collect personally identifiable information, Strafach said that latitude and longitude coordinates can pin a person to a house or their work.

To name a few:

ASKfm, a teen-focused anonymous question-and-answer app, has 1,400 ratings on the Apple App Store and touts tens of millions of users. It asks for access to a user’s location that “won’t be shared with anyone.” But the app sends that location data to two data firms, AreaMetrics and Huq. When reached, the app maker said it believes its location collection practices “fit industry standards, and are therefore acceptable for our users.”

NOAA Weather Radar has more than 266,000 reviews and has millions of downloads. Access to your location “is used to provide weather info.” But an earlier version of the app from March was sending location data to three firms, Factual, Sense360 and Teemo. The code has since been removed. A spokesperson for Apalon, which built the app, said it “conducted a limited, brief test with a few of these providers” earlier this year.

Homes.com is a popular app that asks that you switch on your location to help “find nearby homes.” But the code, thought to be old code, still sends precise coordinates to AreaMetrics. The app maker said it used AreaMetrics “for a short period” last year but said the code was deactivated.

Perfect365, an augmented reality beauty app with more than 100 million users, asks for location to “customize your experience based on your location and more,” and refers users to the privacy policy for more — which does state that location data will be used for advertising. The app was briefly pulled after a BuzzFeed News story earlier this year outed the researchers, but returned to the app store days later. The current app version contains code for eight separate data monetization firms in the latest version of the app. The app maker did not return a request for comment.

And the list goes on — including more than a hundred Sinclair-owned local news and weather apps, which share location data with Reveal, a data tracking and monetization firm, which the company says will help the media giant bolster its sales by “providing advertisers with target audiences.”

That can quickly become a lucrative business for developers with popular apps and monetization firms alike, some of which collect billions of locations each day.

Most of the data monetization firms deny any wrongdoing and say that users can opt out at any time. Most said that they demand that app makers explicitly state that they require app developers to explicitly state that they are collecting and sending data to third-party firms.

The team’s research shows that those requirements are almost never verified.

Reveal said it requires customers “state the use cases for location data in their privacy policy” and that users can opt-out at any time. Huq, like Reveal, said it carries out “regular checks on our partner apps to ensure that they have implemented” measures that explain the company’s services. AreaMetrics, which collects primarily Bluetooth beacon data from public areas like coffee shops and retail stores, says it has “no interest” in receiving personal data from users.

Sense360 said the data it collects is anonymous and requires apps to get explicit consent from its users, but Strafach said few apps he’s seen contained text that sought assurances. But the company did not answer a specific question why it no longer works with certain apps. Wireless Registry said it also requires apps seek consent from users, but would not comment on the security measures it uses to ensure user privacy. And in remarks, inMarket said it follows advertising standards and guidelines.

Cuebiq claims to use an “advanced cryptography method” to store and transmit data, but Strafach said he found “no evidence” that any data was scrambled. It says it’s not a “tracker” but says while some app developers look to monetize users’ data, most are said to use it for insights. And, Factual said it uses location data for advertising and analytics, but must obtain in-app consent from users.

When reached, Teemo did not answer our questions. SafeGraph, Mobiquity and Fysical did not respond to requests for comment.

“None of these companies appear to be legally accountable for their claims and practices, instead there is some sort of self-regulation they claim to enforce,” said Strafach.

He said there isn’t much users can do, but limiting ad tracking in your iPhone’s privacy settings can make it more difficult for location trackers to identify users.

Apple’s crackdown on apps that don’t have privacy policies kicks in next month. But given how few people read them in the first place, don’t expect apps to change their behavior any time soon.