Security researchers have made an aggravating discovery that concerns an increasing number of iOS apps, which have been used to silently and secretly collect location histories from tens of millions of Apple devices. To do so, the apps used packaged code provided by data monetization companies.
In some of the cases, the specially crafted tracking code could run at all times, which means that it can constantly send GPS coordinates and other sensitive details to its operators. This discovery puts a new perspective on iOS devices, stripping them from the privacy myth that typically surrounds Apple, and bringing them closer to what Android app developers have been doing for years.
Researchers from GuardianApp discovered that, for these apps to obtain access to GPS sensors data, they “present a plausible justification relevant to the app in the Location Services permission dialog, often with little or no mention of the fact that location data will be shared with third-party entities for purposes unrelated to app operation”.
What Type of iOS Information do Location Data Monetization Firms Collect?
– Bluetooth LE Beacon Data
– GPS Longitude and Latitude
– Wi-Fi SSID (Network Name) and BSSID (Network MAC Address)
However, according to the researchers, some firms tend to collect more less sensitive details such as:
Accelerometer Information (X-axis, Y-axis, Z-axis)
Advertising Identifier (IDFA)
Battery Charge Percentage and Status (Battery or USB Charger)
Cellular Network MCC/MNC
Cellular Network Name
GPS Altitude and/or Speed
Timestamps for departure/arrival to a location
The research team has disclosed 24 examples of applications that contain specific code taken from location data monetization services, 12 known location data monetization firms, and approximately 100 examples of regional and local news apps which have previously contained code from a specific location data monetization firm known as RevealMobile.
Some of the apps are ASKfm (a social networking app for iOS), C25K 5K Trainer (a fitness app), Classifieds 2.0 Marketplace (a local classifieds app for iOS), Code Scanner by ScanLife (a shopping app for iOS), Coupon Sherpa (a coupon app), Homes.com (а real estate app), My Aurora Forecast (a weather app), etc. Each and every of these apps present a justification pop-up every time it requests access to Location Services, such as this one by Coupon Sherpa:
Location/Bluetooth- data may be used for providing relevant and timely coupons and for providing more applicable ads.
How Can iOS users Protect from Unwanted Tracking Behavior?
There are several steps that can help. First of all, users should consider turning on the Limit Ad Tracking feature. To do so, go to Settings, then Privacy, and from there turn on that specific feature. This should make it more difficult for third parties to make unique identification of the iOS device.
Other measures are listed below:
- Use a very generic name for the SSID of your home Wi-Fi router (eg. “home-wifi-1”).
- Turn off Bluetooth functionality when it is not in use.
Interested in the subject? Make sure to tead more about the invasive app permissions in both iOS and Android.