Giving a weather app permission to access your GPS information seems reasonable. Some apps’ collection of that geolocation data, however, gets too close for comfort. AccuWeather, and its app for iOS, recently received a public flogging for their mobile app’s privacy practices. We don’t feel the need to pile on. But, a core aspect of the NowSecure mission is helping organizations protect themselves by maximizing the security of the mobile apps they use and the apps they develop for their customers and themselves. Because our clients take mobile app security, compliance and privacy seriously, we wanted to provide a quick summary of the incident with a few lessons on critical best practices.

AccuWeather iOS app sent location data to third parties

Last week, a security researcher published an article claiming that the AccuWeather app for iOS sent data to a third party including:

  • GPS data – longitude, latitude, altitude, speed
  • Wi-Fi router data – Basic Service Set Identifier (BSSID) — the MAC address for the wireless access point used
  • Bluetooth data – whether the device’s Bluetooth functionality is on or off

It’s obvious that GPS data can identify a user’s location. A lesser-known fact is that a user’s BSSID and free tools available on the Internet can also identify a person’s location within a few meters. The AccuWeather iOS app sent that data along to a third-party service provider for advertising purposes. The researcher also claimed that despite opting-out of location services within the app, the BSSID was still sent to the third party.

In 2016, the Federal Trade Commission investigated a mobile advertising company, InMobi, for collecting BSSID data from mobile devices without users’ permission. A settlement with the FTC included a $4 million fine for InMobi (reduced to $950,000 due to the company’s financial circumstances) and a requirement for an independent audit of the company’s privacy program and practices every two years.

AccuWeather responded that a third-party SDK (Reveal SDK from Reveal Mobile) was to blame, and that as a result, they disabled the SDK in the app. A day later, Accuweather updated it’s iOS app to remove the offending Reveal SDK that “inadvertently allowed Wi-Fi router data to be transmitted to this third-party vendor.”

AccuWeather iOS app still sending GPS data to third party

Our analysis today of the updated app shows that with location services enabled the AccuWeather app still sends GPS data to another third-party mobile advertising provider — Nexage. The app’s privacy policy and an in-app request for access to location data still lack clarity regarding the purpose and use of collecting, tracking and sharing location data by stating, “Location data is collected anonymously in a form that does not personally identify you and is used by AccuWeather and its partners and licensees to provide and improve location-based products and services.”

AccuWeather iOS app request for location data and privacy statement

Mobile app security lessons from the AccuWeather privacy episode

We’ve identified three main takeaways from this incident to help organizations mitigate their own mobile risk:

  1. If you develop mobile apps, test them regularly to audit the data they collect, store and/or share and be explicit about the handling of that data
  2. Apply the same level of testing and even more scrutiny to third-party components in the apps you develop and use in the code you develop yourself
  3. Don’t assume apps from the Apple® App Store® or Google Play™ store are secure, compliant, or respect user privacy

1. Test your app and be explicit about data collected and shared

If you develop a mobile app, make sure you’re explicit about the data you collect and its destination. A number of federal agencies, the FTC chief among them, don’t shy away from investigating a company’s security and privacy practices if they suspect any discrepancies between a company’s statements and the facts (see InMobi, Snapchat, Wyndham, and most recently Uber).

AccuWeather claimed they were unaware that the Reveal Mobile SDK had access to the location data in question. The FTC won’t likely accept ignorance as an excuse when investigating the potential violation of consumer privacy. Make sure you have complete visibility into your apps’ security, compliance, and privacy practices by performing regular mobile app security assessments and penetration testing. Only NowSecure fully automates mobile app security testing to identify the broadest array of security issues, privacy problems, and compliance gaps in custom mobile apps — and faster, deeper, and with more accuracy than any alternative.

2. Scrutinize third-party components and integrations

Don’t get caught unaware of potential risks in third-party components integrated into your mobile apps. Mobile app developers need to vet third-party libraries, SDKs, open source, and other components and ask questions such as:

  • Do those third-party components properly secure the data they handle?
  • What data do they collect?
  • Where is that data sent and stored?

A number of regulations require diligence in selecting and doing business with service providers. The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule, for example, requires financial institutions to implement a security program that requires service providers, by contract, to implement and maintain “appropriate safeguards for the information.” For more about mobile app compliance for financial institutions, see our recent webinar, “Solving for compliance: Mobile app security for banking and financial services.”

And again, the best way to make sure that a third-party component isn’t violating your security, compliance, or privacy policy is to perform mobile app security testing of the app and observing its behavior.

3. Don’t assume apps from official app stores meet your standards

In sensitive verticals, including government, preventing the tracking of an employee’s location might be mission-critical. A number of apps, or third-party SDKs integrated within them, may not make some of their functionality obvious or explicitly ask permission to collect and/or share data about a user. Financial institutions, government agencies, and other enterprises can’t count on just app store reviews. They need more thorough vetting of third-party apps to ensure they comply with internal and regulatory security standards.

To provide organizations with deeper visibility into the security, compliance, and privacy status of Apple App Store and Google Play store apps, we’ve extended the NowSecure Platform to provide “AlwaysOn” mobile app vetting for third-party mobile apps with our new NowSecure Intelligence™ product. If you’re interested in early access, apply now.

Remain vigilant of mobile apps collecting and sharing user data

It’s clear we all need to remain aware of the data collection and sharing that occurs under the surface in custom, third-party commercial, and business-critical mobile apps. To learn how NowSecure and the NowSecure Platform can help you manage mobile app security risk and more specifically audit your app’s collection of user data, e-mail us at [email protected] or fill out our contact form.

What to read next:

Sam Bakken

linkedin icon twitter icon

Former Mobile App Security Testing Evangelist

During his time at NowSecure Sam advocated for keeping mobile devices, apps, and users secure through mobile app security testing.