A group of security researchers that developed the popular Guardian mobile firewall app revealed that a growing number of iOS apps currently collect location data, WiFi network IDs and other data, from iPhone users and sell them to advertising companies.
Let me immediately highlight that these iOS apps collect data by asking users for permission to do it, but lack to inform users that gathered information are shared with third-party advertising and marketing companies.
The experts have observed that all these apps have embedded tracking codes provided by advertising and marketing firms.
“The GuardianApp team has discovered that a growing number of iOS apps have been used to covertly collect precise location histories from tens of millions of mobile devices, using packaged code provided by data monetization firms. In many cases, the packaged tracking code may run at all times, constantly sending user GPS coordinates and other information.” states the Guardian app research team.
Most of the apps asked for permission to access GPS coordinates, Bluetooth LE beacon data, and Wi-Fi SSID (Network Name) and BSSID (Network MAC Address).
Some apps also collect other types of device information, including accelerometer Information (X-axis, Y-axis, Z-axis), advertising Identifier (IDFA), battery Charge Percentage and Status (Battery or USB Charger), cellular Network MCC/MNC, cellular Network Name, GPS Altitude and/or Speed, timestamps for departure/arrival to a location.
The report published by the Guardian app team includes the names of 12 monetization firms that received data along with the names of 24 apps that use the tracking code provided by location data monetization firms.
The report also includes the names of 100 news apps containing monetization code provided by data monetization firm RevealMobile.
“In August 2017, RevealMobile was also found to be packaged in the AccuWeather app for a brief period of time and was criticized by users for collecting Wi-Fi SSID and BSSID from user’s even if Location Services access was denied (More:https://www.zdnet.com/article/accuweather-caught-sending-geo-location-data-even-when-denied-access/ ).” continues the report.
Experts also shared these potential mitigations: