AccuWeather is one of the most popular weather apps across iOS and Android, and it’s a trusted service that countless people rely on every hour of every day. Now, security guru Will Strafach is sounding the privacy alarm after discovering that AccuWeather on iPhone is forwarding location data even if the user settings prohibit it, and that’s not even the worst part.
Strafach says that upon studying the data being sent back and forth by the AccuWeather iOS app he discovered that, even if the user has location sharing turned off, the app still forwards the name of the Wi-Fi router the phone is connected to and its MAC address to its “data monetization” partner Reveal Mobile. That data, while not as precise as true location data, can still be used to pin a user down to a general area within a city, and even within a specific address in certain cases.
ZDNet, which also verified Strafach’s findings, spoke to Reveal Mobile about the seemingly unwarranted data forwarding. The company admitted that it does receive that information, but insisted that it doesn’t use it for location purposes, and that it’s anonymized.
As Strafach notes in his blog post explaining the findings, this kind of thing has run afoul of the FTC in the past. The legality of this kind of vague location tracking is still mostly up in the air, but it would seem to be in AccuWeather’s best interest to either make it clear to users how this information is being used or prevent it from being collected in the first place.
Update 8/23: AccuWeather provided the following statement:
Other data, such as Wi-Fi network information that is not user information, was for a short period available on the Reveal SDK, but was unused by AccuWeather. In fact, AccuWeather was unaware the data was available to it. Accordingly, at no point was the data used by AccuWeather for any purpose.
AccuWeather and Reveal Mobile are committed to following the standards and best practices of the industry. We also recognize this is a quickly evolving field and what is best practice one day may change the next. Accordingly, we work to update our practices regularly.
To avoid any further misinterpretation, Reveal is updating its SDK and pushing out new versions of the SDK in the next 24 hours, with the iOS update going livetonight. The end result should be that zero data is transmitted back to Reveal Mobile when someone opts out of location sharing. In the meanwhile, AccuWeather had already disabled the SDK, pending that update.