Dozens of iOS apps surreptitiously share user location data with tracking companies



[ad_1]

Article intro image

Mongkol Chuewong, GettyImages

While preparing for a workshop at DEF CON in August on locating confidentiality leaks in network traffic, we discovered several apps on iOS and Android that were transmitting accurate location data to app developers. , sometimes in unencrypted formats. Research released last Friday by Sudo Security's Guardian mobile firewall team confirmed our findings and demonstrated that many applications share location data with companies that market location information without users having the same information. knowledge.

In a blog post titled "Site Monetization in iOS Apps," the Guardian team detailed 24 applications from the Apple iOS App Store that transferred data to 12 companies monetizing different location data. . The 24 applications identified were found in a random sample of the leading free apps from the App Store. So there are probably a lot of other apps for iOS that are surreptitiously selling user location data. In addition, the Guardian team confirmed that a data mining service was connected to applications from more than 100 local broadcasters owned by companies such as Sinclair, Tribune Broadcasting, and Fox. Nexstar Media.

While some of these applications use location data from various sources as part of their service (many were weather applications and another a fitness tracking function), others used mostly localization for provide you with more relevant ads. None explicitly stated that the data was shared with a third party.

GPS-based location services can be relatively easily managed on iOS devices and can be disabled for specific applications or in general. It's also possible in iOS to limit ad tracking in the iOS privacy settings. But other methods of geolocation, including tracking nearby Wi-Fi networks and Bluetooth Low Energy (BLE) tags, are less obvious, but potentially even more accurate. Applications identified by the Guardian team – some of them repackaged under several names for mobile applications from broadcasters – transmitted all or part of these types of location-based information and, in some cases, collected :

  • information on the accelerometer (X axis, Y axis, Z axis)
  • Unique advertising ID (IDFA) of the iOS device
  • percentage and state of charge of the battery (battery or USB charger)
  • the mobile country code (MCC) of the cellular network and the mobile network code (MNC)
  • the name of the cellular network
  • Altitude and / or GPS speed
  • Timestamp of arrival and departure at a specific location

Data points like these are used by companies such as InMarket to track the retailers that an application user has visited (or has stopped visiting). The cellular network data can be used alone for geolocation, and other aspects of the device can be used to "identify" the user through the applications, as well as to monitor the behavior to certain places. Ars was able to confirm the sampling of the Sudo Security data independently.

In addition to these types of revenue-generating location data leaks, Ars found some iOS apps using location data for legitimate purposes that contained location data in plain text API requests. For example, while the Wunderground Weather Underground application transmits much of its data using TLS encryption, the application sends accurate coordinates for the latitude and longitude that can be used to calculate the position of the user in an unencrypted HTTP request. server.

[ad_2]
Source link