Dozens of Popular iOS Apps Caught Covertly Sending User Location Data to Third Parties: Report

As many as two dozen iOS apps have been spotted sending location history of users to data monetisation firms, according to a report by mobile VPN GuardianApp's maker, Sudo Security Group. The list of apps that includes titles such as ASKfm, Classifieds 2.0 Marketplace, Homes.com, and Tapatalk are claimed to collect data points such as Bluetooth LE beacon data, GPS longitude and latitude, and Wi-Fi SSID and BSSID using a packaged code provided by third parties. Once collected, the apps in question are said to send the data to companies that monetise and sell user data. It is also said that in some cases the apps capture cellular network MCC/ MNC, GPS altitude, and even timestamps for departure and arrival to a location, all without explicitly informing the user.

"In order to gain initial access to precise data from the mobile device's GPS sensors, the apps usually present a plausible justification relevant to the app in the Location Services permission dialogue, often with little or no mention of the fact that location data will be shared with third-party entities for purposes unrelated to app operation," the GuardianApp team writes in the report.

While in some cases it is reported that the apps constantly send updated GPS coordinates to data companies, various apps pointed by the GuardianApp team even collect device information such as accelerometer data, battery charge percentage and status, cellular network MCC/ MNC, cellular network name, GPS altitude and speed, timestamps for departure/ arrival to a location.

As per App Store legal guidelines on data collection and sharing, Apple restricts apps that transmit user location data to third parties without explicit user consent. However, GuardianApp claims that the apps it specified in the report provide no details about the sharing of data with any third-party entities.

There are as many as 24 apps that are being claimed to send data to third-parties. GuardianApp has also specified 12 data monetisation firms that collect user data including RevealMobile that was previously alleged to collect location data from popular apps such as Accuweather. Further, the GuardianApp team states that nearly 100 regional/ local news apps have previously used code from RevealMobile that shares information with data monetisation firms.

We've reached out to Apple for clarity on the location data transmission and will update this space accordingly. Meanwhile, GuardianApp says you can mitigate your data exposure by following certain steps, that is, if you intend to continue using the named apps. It recommends you should turn on the Limit Ad Tracking feature on your iOS devices by going to Settings > Privacy > Advertising to make it difficult for location trackers to obtain your information. You should also select the Don't Allow option if a Location Services permission dialogue contains See privacy policy or similar text surfaces on the screen. It is additionally advisable to use a generic name for the SSID for the home Wi-Fi router, and Bluetooth functionality should be turned off when it is not in use.