AccuWeather app requesting for access to geo-location data

Will Strafach, an independent security researcher, has stated over the weekend that the AccuWeather iOS app sends location information to a data monetization firm named Reveal Mobile.

On its website, the company touts the ability to "convert mobile location signals into high value audiences" and "generate more mobile revenue, with or without ads," for its customers.

AccuWeather app sends data to Reveal Mobile every few hours

Strafach discovered the AccuWeather data collection streams on Saturday when he also tweeted his initial findings.

Over the weekend, the researcher carried out more tests to verify the validity of his discovery.

"During a testing period of 36 hours, specifically while the AccuWeather application was not in the foreground, my test iPhone (located on a desk in an office building) sent [...] information to RevealMobile a total of 16 times, occurring roughly once every few hours," the researcher wrote today in a Medium blog post.

According to Strafach, the AccuWeather iOS app collects the following information:

Precise GPS coordinates, including current speed and altitude.
Name and BSSID of the Wi-Fi network the user is currently using.
Status of the device's Bluetooth connection (on or off).

Collected data can be used to infer user lifestyle preferences

The GPS coordinates are the most sought-after information, but they may not always be available, as users tend to disable location tracking most of the times.

For those instances, the Wi-Fi network information serves as a replacement. There are multiple services and databases currently available online that can convert Wi-Fi network names and SSIDs/BSSIDs into approximate geographical coordinates.

Based on Reveal Mobile's website, we can speculate that the company is mapping out each person's daily travels, collecting information about each user's favorite shops, malls, cafes, and others, data that can be used to deliver targeted ads, either by AccuWeather or any other advertiser.

This type of data collection is prohibited without the user's prior consent, as it could infer quite a lot of personal details [1, 2]. For example, a person visiting a cancer clinic on a regular basis is most likely suffering from the disease, information that many persons would like to keep private, and most certainly out of the hands of advertising agencies.

Back in February, Strafach published another research report showing that 76 popular iOS apps were vulnerable to attacks that could intercept TLS-encrypted data.