
Popular iPhone apps caught sending user location data to monetization firms - tareqak
https://techcrunch.com/2018/09/07/a-dozen-popular-iphone-apps-caught-quietly-sending-user-locations-to-monetization-firms/
======
walterbell
How do researchers find this information? Presumably the apps are using
encrypted network connections to submit your location data to surveillance
backends. Is guardianapp reversing each application using jail broken devices?
Using an iOS emulator to inspect the running app?

~~~
willstrafach
A lot of work went into rooting out these trackers, what data they sent, and
what apps they were in. We used a combination of static code analysis for
each, runtime analysis (eg. Corellium), and network packet capture/analysis.

The good news is that only that last part is required if you would like to try
this, now that the commonly used hostnames are published.

Folks can add the full list to a system such as Pi-Hole, and if they notice
any hits for the listed servers, they can then route their device traffic
through a tool such as Bettercap or Burp Suite in order to discover the
offending app(s) and what information they are sending.

~~~
jsjohnst
> We used a combination

You were involved? Why am I not surprised! Thanks for doing your part my
friend.

~~~
minhazm423
can you tell me a bit about him?

~~~
diamondo25
He tells enough in his HN profile;

information security research. ceo @ sudo security group
([https://verify.ly](https://verify.ly)).

previously: founder of "Chronic Dev Team" responsible for many years of iOS
jailbreaking solutions (24kPwn, absinthe, corona, greenpois0n, etc).

------
MBCook
No surprise to see a number of weather apps on here. Seems to be such an
incredibly scummy category.

The built in Apple app is fine for basic information. There are plenty of
high-quality third-party apps. Weather Line (my fav) is $2. DarkSky is $4.

Instead people go for these weird free apps covered in ads with terrible UIs.
The NOAA one isn’t made by the government, seems like using that name should
be some kind of copyright infringement.

Of course WeatherBug on desktops was adware/malware for a very long time.
Maybe it still is.

Then you get scareware stuff like the earthquake notification app. You better
let us track everything you do otherwise you might die!

There are so many good apps on the store made by good developers. It’s amazing
how much better your experience is if you just avoid free apps when possible.

Of course some of these apps, like the ones that you NEED to use for certain
parking meters, are especially evil because there is an any choice. If you
need that service, you’re giving up your privacy.

I wish Apple would crack down on this stuff. I imagine a lot of these apps are
doing things that already violate the App Store guidelines. If they don’t,
they probably SHOULD.

~~~
dwighttk
>There are so many good apps on the store made by good developers. It’s
amazing how much better your experience is if you just avoid free apps when
possible.

Yes. It cannot be emphasized enough. Go pay for apps that are good.

~~~
kupiakos
While generally true, I've also found free apps are usually decent and not-
scummy if they're open source.

~~~
magnetic
Could you give us some examples? I'd like to go check them out.

~~~
modzu
[https://github.com/conceptualspace/trueweather](https://github.com/conceptualspace/trueweather)

------
trevor-e
Why does it seem like browser extensions are ignored in all of these
discussions? For example, right now the Honey Chrome extension has permission
to "Read and change all your data on the websites you visit". They could be
doing anything with that, I'm just crossing my fingers that they find me good
deals and don't abuse my data.

Chrome actually acknowledges this: "Warning: Google Chrome cannot prevent
extensions from recording your browsing history. To disable this extension in
incognito mode, unselect this option."

Related question: why can't we restrict the domains that Chrome extensions can
read data from?

~~~
MBCook
That’s not an issue in iOS/Safari because extensions can’t do that kind of
thing.

I’ve seen other people complain about this for chrome. I saw people justifying
it by saying that that permission is necessary if you want to interact with
the page directly (hide/show content, etc.).

Doesn’t mean the extensions are to be using it, but it may be necessary. Much
like GPS data for a weather app.

~~~
dschuetz
GPS data for a weather app is _not_ necessary, because it's way to precise for
its purpose. Most of the time I need to know how the weather is elsewhere, or
how the weather is going to be today. How does precise (to a meter) GPS data
help me there exactly?

~~~
acdha
Not to the meter but we get plenty of rainstorms where a half mile makes the
difference between wet and dry, and Dark Sky’s push alerts are surprisingly
useful.

~~~
throwaway2048
There isn't weather stations every half mile.

~~~
acdha
They use radar and software to predict storm growth and trajectories. Next
time you look at a radar map ask yourself the physical size represented by one
pixel: in much of the United States it should be something like 150m.

------
maxden
This is the report the article is based on [https://guardianapp.com/ios-app-
location-report-sep2018.html](https://guardianapp.com/ios-app-location-report-
sep2018.html)

~~~
ccnafr
Funny that HN mods always replace links to original sources except
TechCrunch... TC can post all the blog-spam they want

~~~
willstrafach
To be somewhat fair in this case, the TC author got an advance copy of the
reporting and data in order to get some company responses included, so I
suppose there is a value-add in that respect.

------
smilliken
My company analyzes iOS and Android apps en mass, using static and dynamic
analysis. We've partnered with several major universities to provide data like
this about apps. If any reseachers are interested in this data, please feel
free to reach out.

For location in particular, we see which location collection permissions the
app has, as well as indirect methods like Bluetooth and Wifi. We also see the
commercial integrations, like the companies named in the article.

~~~
willstrafach
Ours (guardianapp) does exactly this as well, although exclusively for iOS. We
are using the data we glean from the static + runtime analysis for an upcoming
mobile firewall app but are open to other interesting opportunities.

Please feel free to send a message at any time, even if you would just like to
compare notes on all this (hello@sudosecuritygroup.com).

~~~
walterbell
Is your mobile firewall app going to implement iOS MDM, e.g. to enable per-app
VPNs?

~~~
willstrafach
This will be available in the future, but was deemed too complicated for most
mainstream users.

The initial default will be to simply offer a button called “Protect” and app
handles all the rest.

------
aaaaaaaaaab
The company I work for was acquired by a Chinese giant. Recently they sent us
a static lib (i.e. no source available) to include in our app for “fraud
detection”. We complied.

~~~
driverdan
You didn't ask what it was or where it came from?

~~~
aaaaaaaaaab
I’ve asked, but my concerns were taken as a joke, because in the past I’ve
constantly been complaining about our data collection practices. I was
objecting when the marketig team pushed in the AppsFlyer SDK, then the
Branch.io SDK, then the Google AdMob SDK, then the MoPub SDK, then the
ComScore SDK, then the Saasquatch SDK, then the Kahuna SDK. The Facebook SDK
is included too, of course.

So after all this complaining over the years, they became kinda immune to my
concerns, and when the Chinese handed down their blob they merrily went on
with it.

~~~
null0pointer
What would it take for you to quit? Citing data collection practices as your
reason.

Don't have to answer, I'm just curious as it seems your morals are at odds
with your companies.

~~~
aaaaaaaaaab
True, and I'm already working on it! :fingerscrossed:

------
lawnchair_larry
I really wish there was a reliable way to just shitlist all of these
affiliate/analytics/tracking/ad SDKs device-wide. Third party SDKs sending
who-knows-what to who-knows-where is such a plague in the app ecosystem, and
even the developers including them seem to have no idea what the implications
are.

I don’t want any of them, ever.

~~~
dawnerd
pihole is really easy to setup and the default block list gets a large chunk.

~~~
gnicholas
I've found that my pihole seems to slow down a non-trivial number of websites.
It's as if the sites are waiting for a response to something before sending
the next chunk of info, and so it has to wait 20-30 seconds for a timeout
before the next chunk is sent.

Any suggestions on how to fix this? I do love how pihole blocks so many
trackers on all my networked devices!

~~~
mustuhfa
Its probably because the site is trying to make a https connection and your
pihole server must not have explicitly closed that port. You can resolve this
by either closing that port so that a RST sent back to the client straight
away when the https attempt is made OR install a HTTPS cert and open up that
port so that pihole can serve you its page.

See here [https://pi-hole.net/2018/02/02/why-some-pages-load-slow-
when...](https://pi-hole.net/2018/02/02/why-some-pages-load-slow-when-using-
pi-hole-and-how-to-fix-it/)

------
jscheel
From the article: "[ASKfm] asks for access to a user’s location that “won’t be
shared with anyone.” But the app sends that location data to two data firms,
AreaMetrics and Huq. When reached, the app maker said it believes its location
collection practices “fit industry standards, and are therefore acceptable for
our users.”

Surely this is legally actionable activity, right?

~~~
trendia
Data collection fits "Industry standards" because the industry is inherently
corrupt -- Adtech requires immense user data because they chose to target
users rather than content.

------
mr_toad
I wonder if some of what these developers are engaged in could legally be
interpreted as fraud? Civil fraud is a thing.

Some of these developers have:

\- making misleading and knowingly false statements \- profiting from these
actions \- people were fooled by these statements

The tricky part might be demonstrating ‘harm’, but at least some jurisdictions
have enshrined a legal right to privacy, violation of which could be grounds
for legal action.

~~~
phlyingpenguin
In the case of Gas Buddy (and larger, Cuebiq), I've seen two family members
have their entire data plan used up on their behalf by the location services
being overused. I'm guessing a bug in a recent version of their library. It
might be possible to argue at least a phone bill out of them as harm.

------
manmal
My wife recently was at a certain chain store for books and paper accessories.
She did not interact with Amazon in the store, and does not have the Amazon
app installed. And yet, just minutes later, she started receiving Amazon
recommendations for exactly the kind of items you would expect at the store
she had been. I told her that this a coincidence, but other apps sending her
location could actually explain it.

~~~
jefftk
Did she buy something there with a credit card? That data is commonly resold.

------
sitkack
How do I blackhole all traffic to these 3rd party data collection companies?

The apps aren't even using their own bandwidth. This is a disgrace that Apple
is allowing this and doesn't provide a control to monitor or stop it.

~~~
dawnerd
Hopefully someone will add the tracking domains to a pihole list. Doesn't help
when you're on the go through unless you vpn to a network you own with a
pihole installed.

~~~
sitkack
Sounds like everyone should VPN to a device they control that at least scrubs
and analyzes their traffic, whether it is in the cloud or at their home.

------
DanielBMarkham
This might be a good time to remind folks what systemic problems are.

Systemic problems are where everybody is acting in good faith, trying to do
the right thing, yet the system overall is in a state that's unacceptable. And
the harder they work at their little piece, the worse the system gets.

Governments aren't at fault. They clearly are working on enacting privacy
laws. OS vendors aren't at fault. They clearly are working on making sure apps
behave within some defined behaviors set by the user. Walled Gardens aren't at
fault, they are working on rooting out bad actors. App makers _might_ not be
at fault. They simply might be monetizing traffic using generic services that
only take what the user has already agreed to. Even the services themselves
can claim to be working on solutions. After all, didn't the user approve this?
And aren't the rest of the food chain approving of this kind of thing? That's
the thing: certification systems, whether they mean to or not, end up being a
kind of blanket approval. They passed the tests, aren't they okay?

When news breaks, the public immediately wants to find a bad actor and bash
them over the head, not wanting to admit or think about the fact that the
entire system is at work. So controls are tightened on one bunch and the rest
of them make statements (and efforts) about trying harder.

At root is probably something simple like "Don't track user's locations.
Ever." I don't know. But I know the desire to simplify the story can lead to a
lot of heat and noise -- and not much progress. Any certification system that
says that a particular piece of code passes some kind of test can be construed
that it passes all kinds of other tests -- and you can never lock up code, no
matter how hard you try. This faith in certification systems is misplaced and
very well may be a multi-billion-dollar fool's errand.

------
dschuetz
I asked a network info app developer why it's not possible to at least track
and control network connections on iOS, like Little Snitch does (or did) for
MacOS. "iOS doesn't support that". Well, duh? I don't even know what to think.
Knowing where the iOS device connects to will be a huge help "cracking down"
on BS apps!

And then I read in the comments that it might be virtually impossible for
Apple to detect malicious/privacy breaking behavior, or consumers should go
pay for apps that are _good_. Right.

~~~
saagarjha
It's easy to figure out what an iOS device is connecting to: use a network
extension that inspects network traffic. And given that Apple has none of the
restrictions they impose on third party developers, they can essentially do
what Little Snitch does on macOS.

~~~
dschuetz
There is no way to control the iOS firewall via extensions in iOS. Meaning,
it's _still_ not supported, and what you see as "essentially" the same misses
the point. I want to _block_ connections of specific apps. What iOS _can_ do
is reveal connections made by the network device to the outside. Duh. Set up
Wireshark on some AP and get the same info.

~~~
sitkack
Niche startup idea, VPN for your mobile device that can analyze and block
traffic. Block entire countries, 3rd parties, etc. Give realtime feedback on
their dashboard as applications are loaded. Could also be useful as a
developer application profiling tool.

~~~
dschuetz
Facebook attempted such a thing already, and was caught exploiting it. VPN
apps for the purpose of traffic control and monitoring are dangerous as they
rely on some other party. I could do the same thing without ever needing a
service for that. Setting up a monitored VPN gateway is no rocket science for
me, I could do that, but the folks using crappy apps couldn't. And I would
still need a way to map traffic to specific apps to identify
unnecessary/malicious traffic. There is no other way as only via the internal
iOS firewall. I wonder how the team behind that report managed to do that what
they claim they did.

~~~
sitkack
Using a clean installed of the OS, removing network access for almost
everything and installing a single app, and baselining background network
traffic, I don't think it would be difficult or too noisy to see application
specific network activity.

------
beached_whale
One thing to keep in mind is that ip addresses provide a pretty good location
too. Even without GPS data, they at worst know what city you are in, probably
down to the house depending on the ISP

~~~
jjeaff
What ISP attaches your home address to your IP?

~~~
kbenson
Well, most of them (they have an install address), but in their private data.

I think maybe what's being implied is that some ISPs might sell that data...

~~~
tonyedgecombe
I don't think it even needs to be the ISP, if you buy something from a online
shop that then sells your information on then that information has leaked.

------
tomaskafka
Weather channel. Powers iOS built-in weather, and fetching actual weather data
= sending exact user location every hour.

I have no idea why Apple allows this (the whole point of making Apple maps was
to stop google tracking iOS users and here a service is getting everything).

(And Android - try to find an android phone where a default always on weather
widget isn't preloaded on homescreen.)

~~~
walterbell
Weather Channel is owned by IBM. Apple and IBM have a larger business
partnership. IBM has a retail analytics business.

[https://www.marketwatch.com/amp/story/guid/AABFA5DE-330F-11E...](https://www.marketwatch.com/amp/story/guid/AABFA5DE-330F-11E6-9903-0BD581ABB253)

 _> Deep Thunder combines big data and machine-learning tools from IBM
Research with The Weather Company’s global forecasting model ... the tool will
help companies with critical decision making. The data will be able to show
how minor changes to weather, such as temperature, might affect things like
consumer buying behavior, helping retailers to adjust their supply chains and
shelve stock _

~~~
tomaskafka
There goes the privacy :). Now let's wait 3 years till some journalist
'discovers' this.

------
krausejj
Why isn’t Google on this list? Is it because they monetize your location data
in-house?

~~~
krausejj
(this was meant to be snarky. i'm just a developer with a calendar app that
requests location data to humbly provide location place recommendations... no
monetization, no sharing of this data, and it's essential to being able to
fill out the "location" field accurately. this constant stream of negative
attacks against apps not built by FAANG is destroying trust in independent
apps, due to the actions of a few bad actors. ironically, this is just driving
people back to a handful of monopolies who monetize user data in-house. the
winner here is google (and, let's be honest, they are probably already doing
something with the location data we're sending them to get the nearest place
ids).)

~~~
willstrafach
Respectfully, one goal of doing this research was to shine a light on those
who are engaging in these practices, so that users who dislike it can
potentially find alternatives.

This is a good thing for any apps who do things right.

------
mrfusion
I’m confused. On iPhone you control which apps get location data. You also get
warnings on the top of the screen when an app is using your location.

How are these apps getting around that?

~~~
LeoPanthera
I don't know if it's possible anymore, but one way used to be that the app
would send a list of every wifi network it could see. This can be used to
calculate your position surprisingly accurately, in most places in the world.

~~~
jsjohnst
> I don't know if it's possible anymore

Never was possible on iOS.

------
Buge
>The app was briefly pulled after a BuzzFeed News story earlier this year
outed the researchers

I don't think the researchers were the ones outed

------
user1324345
Are you guys aware that major corporations i.e. T-Mobile and Sprint are
selling app usage data to hedge funds? Forget the popular apps recording this,
major telecommunications companies are selling it.

------
erikb
Well maybe apps like Facebook (=Instagram), Apple Weather, Gmaps will "only"
use your data internally, but they also make most of their money from ads. So
yes, all our data is always used to target ads, political campaigns and
"viral" marketing campaigns at us. Where is the surprise in that? If you asked
2007 software engineering student me, I would've told you back then. That was
the point in time where this work started. Nowadays everybody is doing it
themselves or selling the data one way or another.

Don't you know that also this very post will be grabbed by multiple people and
companies and analysed to death by their algorithms to maybe squeeze out
another bit of information that they then try to link to me as a person in
some way?

So if you sit there wondering "does the app X that I'm using does that?" then
the answer is yes, because everybody is doing it.

------
skizm
If apps sent this info to their own backend before forwarding it to a third
party, there would be no way to tell this was happening, right?

------
cloudbubble
I think the larger issue is to be competitive in the app market you need to be
free, and to generate revenue they have to resort to shady ways, monetizing
using data or manipulating user's behavior.

I think that the business model needs to be changed starting all the up at
places like Facebook and Google. At some point these products are going to be
perhaps even under our skin and if they are still 'free' and needing to resort
to dirty methods to turn a profit by invading our privacy, it will just be the
inevitability of the way things are now.

------
gameswithgo
Good thing we submit to a monopolistic store model for our computing devices
so we don't get malware.

end sarcasm

------
AndrewHart
"researchers found 24 popular iPhone apps that were collecting location data —
like Bluetooth beacons to Wi-Fi network names... and cell network names."

A point of note - finding the names of wireless routers, or cell network -
requires calling private APIs, so those apps should be banned from the store
on that basis alone.

------
mycoborea
Does the App Store for either iOS or macOS give any indication whether or not
an application is open source?

I know that is not at all a guarantee that an app would be more respectful of
the user's privacy, but I'd bet that it would save a chunk of guesswork.

~~~
MBCook
No, not that I’m aware of. And I think that would be meaningless to 99.8% of
users. It’s not like you can filter your searches anyway.

If people DID start thinking of it as some kind of sealer quality,
unscrupulous actors would simply open source their apps and leave all the
garbage in. So it would become meaningless.

~~~
jsjohnst
Further, what does it being open source help? They could publish the app
source without the tracking SDKs (especially as some of them are big enough
now that you have to hassle with git-lfs even if you wanted to commit it) and
then build it with the tracking SDKs before submitting to the App Store.

~~~
wruza
Other people could build these apps at build farm and publish under trusted
vendor name like linux distributions do. You don’t trust vim.deb from anyone,
but e.g. vim.org and ftp.??.debian.org/debian have at least strictly no intent
to abuse you.

~~~
jsjohnst
You realize we are talking about iOS / the App Store, right?

------
fipple
The lack of any real business model besides gambling on mobile apps sends the
market from professional firms like Autodesk and Adobe to solo developers
overseas. They have much lower accountability which makes this entirely
predictable.

~~~
MBCook
> to solo developers overseas

Why is that kind of racism necessary at all?

It has nothing to do with where people are. Developers want money. Duh.

But the App Store has gone to “ basically everything is free“. The only two
ways to accomplish that for most developers are in app purchases, which don’t
work every app, and ad/data sales.

As new people find new ways to monetize data that they can get their hands on,
they’ll approach developers and that data will get sold.

Isn’t having no privacy laws great?

Of course people could just pay for high-quality apps. Sadly that train
sailed. I feel like IAP made it worse.

~~~
ericd
That's not racism - as fipple mentions, there are significant differences in
legal accountability. And even if there weren't, pretty sure that would be
considered slight xenophobia rather than racism.

~~~
MBCook
You’re right. Xenaphobia was the word I meant to use.

The legal issue seems like a red herring. Selling an app in the American App
Store makes you subject to American law.

------
location12345
I've worked in this industry for years, happy to answer any questions.

~~~
willstrafach
Do any of these companies at least take security seriously, considering the
extreme sensitivity of the massive amounts of data they collect?

------
phobosdeimos
On an Android device you can block ads and trackers, even without root.

This is the business model of the industry. Every app is loaded with this
stuff. Assume hostile behaviour.

------
somethingroma
Apple is great for the privacy concerned

------
aurelien
That is for the security of the users.

------
cvaidya1986
Steve Jobs would have been furious!

------
danjoc
Stories like this, the Uber story, and the recent one about Google tracking
location even when you opt out, are why I'm looking forward to Purism 5 with
PureOS and kill switches.

~~~
alphabettsy
How does having some kill switch solve the issue of an app that needs
geolocation selling the data or otherwise using it in a way other than you
intended?

~~~
danjoc
Having an OS and apps I can trust to not send location data solves that
problem. The kill switches ensures no roving bugs, modem AT commands, and
passive tower triangulation when I'm not using the radio. Pretty simple
really.

~~~
fooker
Do you trust the compiler/VM? How about the hardware? Maybe the fab too?

[http://wiki.c2.com/?TheKenThompsonHack](http://wiki.c2.com/?TheKenThompsonHack)

At some level, you have to trust or decide what is tolerable for you.

~~~
AsyncAwait
That argument is so tired. Just because there's no perfect privacy, doesn't
mean you can't significantly increase it. At some point you also have to trust
that the chair you're sitting on will hold you and the one that isn't visibly
weak has the best chance of doing that.

------
zadkey
It's been said before, "If it's free, you are the product".

~~~
codedokode
In non-GDPR countries you are the product no matter if you pay or not. For
example, Mastercard sells your data to Google although you pay for it.

------
ChuckMcM
If an app is useful and not costing you any money, you have to assume it
sharing private information with a third party. There is no business plan or
strategy where giving something away keeps you business.

~~~
MBCook
There are plenty of counterexamples to that. People making small games they
want to give away for free, utilities that are too small to be able to charge
for, free apps that have additional features behind an IAP or subscription.

Just because an app it’s free doesn’t mean it has to be something incredibly
scummy.

~~~
ChuckMcM
#1 source of malware on the Android ecosystem was flashlight apps. I don't
disagree that there are examples of apps or code that people have written and
given away for free just because, my comment was more along the lines of
"companies" giving away a free app.

~~~
MBCook
I remember them being a huge chunk of the scam/ad ecosystem on iOS before it
was integrated into the OS a couple versions ago.

------
trumped
Sue Apple, because they own the "curated" distribution channel and they have
too much money.

~~~
kevingrahl
Why would you blame Apple instead of the people behind the offfending
application?

~~~
MBCook
Anecdotal evidence I’ve heard from developers is that there are a HUGE number
of people who think that Apple makes all the software for the iPhone. It’s an
Apple phone, you go to Apple’s App Store, so whatever you buy is Apple
software.

It’s blatantly false, but it’s out there. Just like people thinking of Google
as “the Internet“ because it’s the thing they see when they open their web
browser. Someone recently said to me “did you know you they added image search
to the Internet?“ because they noticed the tab in Google.

The other side of course would be the lawyers. If someone came to you and
wanted to sue and you thought you had any chance in hell… would you sue the
little one man operation that doesn’t have a lot of money? Or would you try
and wrangle $1.07 trillion Apple into it? “They should have protected me.”
Chances are Apple giving you $10,000 to go away would be far more than you
could ever get out of the individual developer even with a full trial.

~~~
fooker
>Chances are Apple giving you $10,000 to go away would be far more than you
could ever get out of the individual developer even with a full trial.

Chances are Apple is going to ignore you unless 'you' are big enough to induce
bad PR.

~~~
MBCook
Realistically: I agree, they don’t care and wouldn’t pay you off.

