
Apple cracking down on applications that send location data to third-parties - john58
https://9to5mac.com/2018/05/08/apple-location-apps-third-parties/
======
dep_b
I'm working for years as a developer building iOS applications. Apple got so
strict the last months maybe last year it's just incredible. Lots of questions
about monetization and background services, they really want you to have a
solid business case for background location or just don't use it.

As a consumer I'm happy they take those steps though. My privacy is worth
money. Either somebody sells it and gives me a "free" OS or somebody sells me
an OS and I don't "sell" my privacy.

~~~
Fradow
Do you know if they need a solid business case even if it is optional? For
example, any idea if an optional "locate your device" feature would get shot
down?

~~~
dep_b
Yes. I had a location tracking feature that would total your mileage
automatically and submit it after your ride to your bookkeeper (this is
mandatory for lease cars in some countries). I really had to explain that the
app also might be backgrounded because people probably would be using Apple
Maps to navigate while this thing was clocking away in the background

------
AznHisoka
Does this include apps like Foursquare/Swarm that sell aggregated location
data to hedge funds? [1]

...or are the big players exempt from the rules of the game?

[1]
[https://www.entrepreneur.com/article/290543](https://www.entrepreneur.com/article/290543)

~~~
bob_theslob646
This is another article that talks about how they actually do what the parent
comment talks about.

> When someone checks in to a place on Swarm, Foursquare's newer app, the
> company records the user's coordinates, helping it determine all the
> different coordinates associated with a single business or other place.

> Foursquare says it can't disclose who its partners are, or how many
> different smartphone users' data it has acquired. But Rosenblatt says the
> company could, for example, create a list of "millions" of smartphone owners
> who frequently visit fast food restaurants by taking a pool of location data
> collected by its partners and comparing that to its database of fast food
> restaurant coordinates.

> Advertisers could then use that data to show those users ads for fast food
> chains, or perhaps healthier alternatives or gym memberships— _all without
> those people ever having to install a Foursquare app._

[1]([https://www.wired.com/2016/01/foursquares-plan-to-use-
your-d...](https://www.wired.com/2016/01/foursquares-plan-to-use-your-data-to-
make-money-even-if-you-arent-a-user/))

~~~
syncopate
Isn't that called geofencing? It's been around for years. I always felt that
the main reason e.g. Facebook wants you to use their app is to be able to
supply data for conversions of geofencing ad campaigns, e.g. someone saw an ad
for a promotion at some burger place and then actually came to close proximity
of their wlan.

------
Rjevski
Finally.

I wish third-party analytics would be next. A lot of apps are using analytics
from companies who’s business model is inherently incompatible with privacy
(Facebook & Google) and that concerns me.

~~~
UncleMeat
Should all developers be required to write analytics themselves?

~~~
princekolt
Apple could require the analytics reporting to be opt-in.

------
gepeto42
They need to be much more aggressive towards apps that request access to the
SSID of the current network. This is supposed to be limited, but in my
experience, apps you would not expect to be doing that are doing it, and it's
basically the same thing as location data.

~~~
saagarjha
Limited? This is public and unrestricted API, to my knowledge:
[https://developer.apple.com/documentation/systemconfiguratio...](https://developer.apple.com/documentation/systemconfiguration/scnetworkconfiguration)

~~~
gepeto42
Yeah, it was supposed to be -
[https://developer.apple.com/documentation/networkextension/n...](https://developer.apple.com/documentation/networkextension/nehotspothelper)

Around iOS 9, Apple deprecated some of the Captive Portal APIs, then re-
instated them, a lot of changes that went back and forth, but my conclusion is
that today, years later, way too many apps seem to read my SSID. Doesn't
really matter how they do it, but I wish there was a prompt for it and no way
for an app to directly fetch it.

~~~
walterbell
Any downside to using a common SSID,
[https://www.wigle.net/stats#ssidstats](https://www.wigle.net/stats#ssidstats)?

~~~
chimeracoder
> Any downside to using a common SSID,
> [https://www.wigle.net/stats#ssidstats](https://www.wigle.net/stats#ssidstats)?

From the documentation, it's not clear to me if apps have permission to see
either other nearby SSIDs or the names of other networks that the device has
previously connected to.

If the app has access to either one of those, it's equivalent to being given
location data.

Furthermore, last I checked, _both_ iOS _and_ Android broadcast the list of
previously-connected SSIDs to nearby routers when connecting. That enables
companies which track people's physical location over time without them having
to download an app (yes, these companies exist[0]).

[0] e.g. [http://axper.com/](http://axper.com/)

~~~
walterbell
Whoa.. why do random routers need my SSID location history? Is that list
removable by “forgetting” all the previous networks?

~~~
chimeracoder
> Whoa.. why do random routers need my SSID location history? Is that list
> removable by “forgetting” all the previous networks?

It's how the standard currently works and what enables fast reconnection.
IIRC, the device sends out all available SSIDs, at the router responds with
the one(s) it's able to use to connect.

I agree that this is backwards, and I'd rather have slightly slower WiFi
reconnection in exchange for better privacy. I don't know what the OS-level
behavior is if you delete all previous networks. I assume it works, but I
haven't tested it.

Oh, and for what it's worth, this isn't just for mobile devices. Your laptop
probably does it too. In fact, OS X has an annoying habit of connecting to
WiFi networks in the background even when the laptop is closed and asleep,
which means it's doing this broadcasting behavior as long as the WiFi setting
is turned on.

~~~
walterbell
This thread claims it’s only hidden SSIDs that are broadcast:

[https://apple.stackexchange.com/questions/244171/ios-10-warn...](https://apple.stackexchange.com/questions/244171/ios-10-warning-
using-a-hidden-network-can-expose-personally-identifiable-inform)

------
crystaln
It's interesting how everyone hates the App Store approval model until they
demand it be implemented more strictly.

------
kvm000
Would be nice if there was a more granular option for access to photos which
allowed "image only" with no metadata... I assume most people don't realize
when they grant photo library access to a cheap filter app that the app can
grab the datetime and GPS location for all photos as well, which is a lot of
data if they have a phone full with a ton of photos.

------
julianozen
Hey, are there any other developers experiencing this besides the one in the
article?

We noticed a few weeks ago that Apple has changed their static analysis tool
and has been more aggressive with rejections. Has anyone else actually seen
their app retroactively pulled from the App Store?

~~~
_31
I haven't had the exact issue discussed in the article, but I have noticed
that they have been really aggressive with rejections lately. Just this last
week an app I'm trying to get into the store has been rejected 4 times, with
the same exact automated message. I respond with an assertion of my apps
compliance, but get the same automated response. These are the first
rejections I've received in 7 years of submitting apps.

~~~
scarlac
Do you have an idea what rules you could be violating? Even with a good
history, there's no guarantee an update is still good so they have to stay
vigilant. Chrome store is a good example of this where popular extensions are
sometimes bought and an update is pushed out with malware or spyware.

------
longtermsec
Apps are one risk, but it's an opt-in risk.

Telecom companies are also another risk, and much larger one in that, because
there is no opt out of location sharing with them. Same with analytics on your
telco network traffic.

------
grantlmiller
Isn't it just as likely that this data is being sent to the app vendor's
servers and then off to one or multiple third-parties?

------
shimfish
I'm curious as to how this behaviour is actually detected. I mean are they
checking for outgoing network requests that contain something that looks like
co-ordinates because presumably that would be trivial to obfuscate.

Or is this really just a case of rejecting apps that are asking for location
even though the app has no real use for it?

~~~
LeoNatan25
Apps are required to have an entry in the Info plist for location (both “while
in use” and “always”). This is enforced by the kernel. So they are most likely
looking there.

------
MessageLife1122
I am glad on reading even just looking at the headline. haha

------
sbhn
What, is it legitimate companies selling your data? The fear media told me it
was hackers.

~~~
Johnny555
You must have your head in the sand if you don't see the "fear media" also
warning you about legit companies tracking you.

[https://www.nytimes.com/2018/04/11/technology/facebook-
priva...](https://www.nytimes.com/2018/04/11/technology/facebook-privacy-
hearings.html)

[https://www.bloomberg.com/news/articles/2018-05-07/even-
priv...](https://www.bloomberg.com/news/articles/2018-05-07/even-privacy-
advocates-are-tracking-you-online)

[https://www.wsj.com/articles/who-has-more-of-your-
personal-d...](https://www.wsj.com/articles/who-has-more-of-your-personal-
data-than-facebook-try-google-1524398401)

[https://www.forbes.com/sites/kalevleetaru/2018/05/03/what-
th...](https://www.forbes.com/sites/kalevleetaru/2018/05/03/what-the-alleged-
facebook-stalker-teaches-us-about-our-online-privacy/#62cb33b8672d)

~~~
sbhn
None of those articles made pole position. Only articles with ‘Hackers’ in the
subject line, that’s plural, make pole position when amplifying that people’s
personal data is under attack.

------
jacksmith21006
Just hope they let the user chose.

~~~
gruez
and what do you do when users get strongarmed (app refusing to run, dark
patterns, etc.) into "accepting"?

~~~
jacksmith21006
Well then define how you make it clear to the user.

I worry a bit that we will go too far with things. Some want the benefits of
having the data to make user experience better.

I am a perfect example of this.

------
billabul
you would be surprised how many apps include analytics and gather in app usage
data.

------
SEJeff
If you're worried about analytics and tracking / ads on your iPhone, consider
installing Disconnect's Privacy Pro:

[https://lifehacker.com/disconnect-pro-eliminates-tracking-
on...](https://lifehacker.com/disconnect-pro-eliminates-tracking-on-iphone-
and-samsun-1786903257)

It costs a few $$, but sets up a VPN profile that is generally always on. It
just blocks all of the ads / "web bugs" / analytics stuff and gives you a UI
to show how much. Apple cracking down is a good thing, but so is defense in
depth. It estimates that it has blocked 8Mb of crap being downloaded on my
phone just today.

~~~
princekolt
While the concept is good, I'd be extremely concerned of using _any_ third
party VPN service, free or paid. You are basically trusting your entire
internet usage to a single entity, and I think this is way too risky.

One alternative is setting up a raspberry-pi at home running pi-hole and
OpenVPN. While it is still not risk-free, it is still better than one
centralized entity taking everyone's traffic. On the other hand, setting that
up is still not absolutely straightforward, but it is getting better.

~~~
MBCook
I agree.

“Don’t like being tracked? Just let us watch EVERYTHING you do and we promise
to stop people from tracking you.”

You’re putting someone in the perfect position to track you far better than
anyone else could. You better REALLY trust them.

~~~
SEJeff
Again, it uses a VPN to route all traffic on the phone through the app, which
sends no traffic anywhere outside of your phone (confirmed via my home
firewall showing no traffic going out). It uses a VPN to simply route traffic
through the app to null route bad destinations. Make sense?

