Strafach, well known for his early iOS jailbreak hacks, notes that he was actually researching a separate security problem on Accuweather's iOS app. However, during testing he discovered that the app sent data 16 times to Reveal Mobile, installed as a third-party SDK on AccuWeather. According to the company's own PR, it works as a way "to help app publishers and media companies extract the maximum value from their location data." That can generate a lot of money both for Reveal Mobile and AccuWeather, he notes.
Furthermore, Reveal Mobile's SDK may also collect user location data via Bluetooth beacons, Strafach believes. According to Reveal Mobile's own product description, when you're near one, it can figure out your location and turn the info into data it can sell. "While traditional lat/long audiences require the app to be open and running, detecting or 'bumping' beacons can occur when apps are not in use," the company writes. "This allows Reveal Mobile to build larger, and more accurate, location-based audiences."
Obviously, the company can generate more revenue if an app collects data even when users opt out. However, that "violate[s] user trust," Strafach notes, and seemingly Apple's developer agreement as well.
You may not track an end-user's WiFi network usage to determine their location if they have disabled location services for your application. --Apple developer agreement.
Though tracking WiFi BSSID names may seem innocuous, the FTC is investigating a company called InMobi about that same thing, he adds. "By collecting the BSSID (i.e., a unique identifier) of the WiFi networks that a consumer's device connected to or was in-range of, and feeding this information into its geocoder database, InMobi could then infer the consumer's location," the FTC says, adding that InMobi also did this when users opted out of geolocalization.
On Twitter, Strafach replied to users who say that app tracking is expected nowadays. "Most app analytics are usually quite tame ... this case goes further than what most apps do." Tracking such information doesn't appear to be possible on Android, as Google has been aware of the potential for WiFi tracking abuse for a while now. Since version 6.0 (Marshmallow), applications must obtain user permission before they can access a network's BSSID. We've reached out to Apple and AccuWeather for more information.
Update: Reveal has provided an emailed statement to Engadget and said that it "honors all operating system level 'limit ad tracking' and 'do not track' permissions." At the same time, it said that "in looking at our current SDK's behavior, we see how that can be misconstrued." Its full statement to Engadget is below, and they expanded on it in a blog post. On Twitter, Strafach noted the statement and said "I do not personally agree with their logic, but feel free to read and decide."
We don't attempt to reverse engineer a device's location if someone opts out of location services, regardless of the data signal it comes from. In looking at our current SDK's behavior, we see how that can be misconstrued. In response to that, we're releasing a new version of our SDK today which will no longer send any data points which could be used to infer location when someone opts out of location sharing.
Update 2: AccuWeather has also responded to Fast Company with a statement, saying it was unaware that Reveal Mobile was transmitting WiFi location data and didn't use the info itself. It also confirmed Reveal Mobile's statement that it's updating the SDK and says it has disabled the current SDK pending that update. The key paragraphs of its statement are below:
AccuWeather and Reveal Mobile are committed to following the standards and best practices of the industry. We also recognize this is a quickly evolving field and what is best practice one day may change the next. Accordingly, we work to update our practices regularly.
To avoid any further misinterpretation, Reveal is updating its SDK and pushing out new versions of the SDK in the next 24 hours, with the iOS update going live tonight. The end result should be that zero data is transmitted back to Reveal Mobile when someone opts out of location sharing. In the meanwhile, AccuWeather had already disabled the SDK, pending that update.