'The GuardianApp team has discovered that a growing number of iOS apps have been used to covertly collect precise location histories from tens of millions of mobile devices, using packaged code provided by data monetization firms.'
People like to think Apple's App Store is rigid and closed but it actually provides an enormous amount of freedom and flexibility to developers so they can craft useful and hopefully thoughtful apps for us, the shared users and customers. Unfortunately, the same frameworks that some developers use to make groundbreaking apps others misuse to make trust-breaking ones instead.
From the Guardian App blog:
In order to gain initial access to precise data from the mobile device's GPS sensors, the apps usually present a plausible justification relevant to the app in the Location Services permission dialog, often with little or no mention of the fact that location data will be shared with third-party entities for purposes unrelated to app operation.This page contains potential mitigations for end users, 24 examples of apps which contain code from location data monetization firms, 12 known location data monetization firms, and nearly 100 examples of regional/local news apps which have previously contained code from a specific location data monetization firm (RevealMobile).
In some cases, the access requested and code run may truly be beneficial — for example, trying to provide location-specific services when and where you need them. In other cases, it may be a cheap way to sell out their own users in order to generate revenue from data harvesting companies. In both cases, use of pre-packaged code from data harvesting companies means the second likely happens even when the goal is the first.
Guardian App founder, Will Strafach — a name that should be familiar to anyone in the iOS infosec community — also followed up with a series of tweets chronicling (no pun intended) the reactions of some of the companies once they were caught.
the way firms respond is very intriguing to me. for example, ASKfm indicates that they do this to improve user experience, yet the public website of one tracker (Huq) even has an earnings calculator and describes how they pay for your data. https://t.co/tRjahWFQOX pic.twitter.com/f2XyEHBaOmthe way firms respond is very intriguing to me. for example, ASKfm indicates that they do this to improve user experience, yet the public website of one tracker (Huq) even has an earnings calculator and describes how they pay for your data. https://t.co/tRjahWFQOX pic.twitter.com/f2XyEHBaOm— Will Strafach (@chronic) September 7, 2018September 7, 2018
The report lists two dozen apps and a bevy of companies that make money off data farming through those apps.
If this offends you, you can turn on Limit Ad Tracking in Settings > Privacy > Advertising, and refuse to grant access to location data when the apps ask for it. You can also check out this video for more privacy tips:
I'd like to think awareness and public shaming would help stamp out this practice. Unfortunately, there's just too much money to be made for that to be realistic. I'd also love Apple, which prides itself on championing privacy, to get way more proactive about how App Store apps use, and in some cases abuse, our data. (I'm sensitive that Apple is already considered far too controlling by some, but quantity and quality are two very different measures.)
Ultimately, it's up to us, the customers and users, to educate ourselves and to vote with our money, time, and attention. If companies abuse our data, we need to starve them out of existence with extreme prejudice.
