AccuWeather iOS app misleads users as it sends location data even when denied access
Update #2: AccuWeather has released a joint statement with Reveal Mobile. From the statement:
Despite stories to the contrary from sources not connected to the actual information, if a user opts out of location tracking on AccuWeather, no GPS coordinates are collected or passed without further opt-in permission from the user.
Other data, such as Wi-Fi network information that is not user information, was for a short period available on the Reveal SDK, but was unused by AccuWeather. In fact, AccuWeather was unaware the data was available to it. Accordingly, at no point was the data used by AccuWeather for any purpose.
Update: Reveal Mobile has issued the following statement to 9to5Mac in response to Strafach’s audit:
We don’t attempt to reverse engineer a device’s location if someone opts out of location services, regardless of the data signal it comes from. In looking at our current SDK’s behavior, we see how that can be misconstrued. In response to that, we’re releasing a new version of our SDK today which will no longer send any data points which could be used to infer location when someone opts out of location sharing.
AccuWeather on iOS may be violating Apple’s developer agreement as well as user trust, a new security audit reveals. Will Strafach, a security researcher, discovered that the iOS weather app is potentially sending out the identifiable user and device information to a third-party company even when location data sharing is denied.