Research claims popular iOS apps are secretly sharing location data

11 Sep 2018

Image: Park Jae Beom/Shutterstock

According to new research, many iOS apps are sharing location data with firms that market location information without user knowledge.

Location data sharing is a hot topic of late, following recent revelations around Google data collection.

According to new research from Sudo Security’s Guardian mobile firewall team, there is an array of iOS apps pushing location information to “location data monetisation firms” that use the information for profit.

Sharing location tracking data covertly

The researchers say they identified 24 applications from a random sampling of the top free apps in the App Store – so, in all likelihood, there are more data-harvesting apps out there. The Guardian researchers also found that one data-mining service was linked with apps from more than 100 local broadcasters owned by companies such as Fox and Nexstar Media.

Although some of the apps use location data as an element of their service, such as weather and fitness tracking, others say they only use location for “providing you more relevant ads”.

In general, GPS-based location services are easy to manage on iOS devices and can be switched off completely or for specific applications. iOS privacy settings also allow for ad tracking limitations.

Not just GPS

There are other, less obvious forms of location tracking though, including Bluetooth Low Energy (BLE) beacons and tracking nearby Wi-Fi networks. The apps were spotted passing along some or all of these variants of location data. Other forms of location information passed along included:

  • Accelerometer information (X-axis, Y-axis, Z-axis)
  • Advertising identifier (IDFA)
  • Battery charge percentage and status (battery or USB charger)
  • Cellular network MCC/MNC
  • Cellular network name
  • GPS altitude and/or speed
  • Timestamps for departure/arrival to a location

Apps flagged by the researchers include: Ask.fm, Classifieds 2.0 Marketplace, Homes.com and Tapatalk, among others.

The GuardianApp team explained how the apps get access in the first place: “In order to gain initial access to precise data from the mobile device’s GPS sensors, the apps usually present a plausible justification relevant to the app in the Location Services permission dialogue, often with little or no mention of the fact that location data will be shared with third-party entities for purposes unrelated to app operation.”

App Store says consent is required

The legal guidelines set up by the App Store restrict apps that transmit user location tracking data to third parties without the explicit consent of the user, but the researchers claim the apps flagged do not mention the sharing of location data with others.

GuardianApp recommends users turn on the Limit Ad Tracking feature, which can be found by going to Settings, clicking Privacy and then Advertising. You can also select ‘Don’t Allow’ if a location services permission screen pops up. Turn off your Bluetooth when not in use and ensure the SSID on your home Wi-Fi router is a generic name.

In a separate report, Malwarebytes found that there are several apps exfiltrating data to Chinese servers. Researcher Thomas Reed wrote: “It’s blindingly obvious at this point that the Mac App Store is not the safe haven of reputable software that Apple wants it to be. I’ve been saying this for several years now, as we’ve been detecting junk software in the App Store for almost as long as I’ve been at Malwarebytes.”

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com