The Accuweather / Reveal Situation Is Really An iOS Privacy Problem
A quick recap: The Accuweather iOS app was recently caught sending location data and location-identifying Wi-Fi details to a data monetization firm, Reveal Mobile. Those Wi-Fi details are enough to pinpoint a user’s location to as close as 100ft, and most importantly, they were sent to Reveal Mobile even if the user denied Accuweather’s app permission to access their location.
After thorough shaming on Twitter, blogs, and other sites, Accuweather released a statement claiming ignorance and promising to remove the Reveal Mobile SDK until it no longer collects that data inappropriately. They’ve since shipped an update that removes Reveal Mobile’s SDK entirely.
I think focusing on Accuweather or Reveal Mobile misses the point.
Accuweather is not the problem.
Advertising is a downward spiral of user hostility. The latest low seems to be selling user’s location data, but I’m sure it doesn’t end there, and the best way to avoid these issues is to pay money for useful apps. However, the reality is most people prefer to pay with their data, not their money.
If you’re using a completely free app, then you are the product, and you should assume everything you share with them is in turn being shared with their advertising partners. But, what about the things you didn’t share with that app?
What is surprising is that Reveal Mobile has access to location data from users who denied location permission to the Accuweather app.
There’s nothing in Reveal Mobile SDK integration guide which makes it clear that it will do this, and as a closed-source SDK, there’s no practical way for any apps that integrate it to know everything it can possibly do.
Apps routinely incorporate closed-source SDKs: ad networks (Google Admob, Facebook ads, etc), analytics packages (Fabric, Flurry) and popular frameworks. A closed source SDK can do anything the platform allows, basically in secret. But it’s not practical to demand that all SDKs be open-source or that all apps avoid all closed-source SDKs. Too much value would be lost, and too many good, useful SDKs wouldn’t exist without the ability to keep their code proprietary.
The only way for an app developer to know exactly what these closed-source SDKs are sending back is to intercept the network transmissions and inspect them. And they must do this again every time any of those SDKs is updated. That doesn’t sound like a realistic expectation. Instead, developers rely on reputation and community trust of those SDKs.
Today, I guarantee a lot more developers trust Fabric.io’s SDK than the Reveal Mobile SDK. But until that trust is broken, individual apps can’t be expected to know everything every SDK does in all situations.
Reveal Mobile is not the problem.
Reveal Mobile pays app developers for location data — that’s their business model. But they’re not the only ones. I’ve received and rejected proposals from other firms doing the same thing, such as xAd, Sense360, and Beintoo.
I’m trying to convert free users to paid customers, not make a living selling user’s data, so when I get a proposal from one of these companies I just delete it. But, many apps are completely free and entirely supported by advertising. They may need to make those decisions differently.
Any of these location data businesses can fall back to Wi-Fi-based location data if the end-user does not grant the host application permission to use location. Why? Because it pays better, and Apple allows it.
The problem is iOS.
The reason this situation with Accuweather is even possible is because iOS is allowing apps to access your location (via Wi-Fi details) even when you decline to allow location access.
Apple understands fully that Wi-Fi details can accurately locate an iPhone user. This is why when you turn off Wi-Fi in Settings or Control Center, they show a message that says “Location accuracy is improved when Wi-Fi is turned on.”
Plus, iOS Geofencing is almost entirely implemented using Wi-Fi-based location to track your arrival/departure from specified locations, and iOS Visit Monitoring similarly uses Wi-Fi-based location to track when you linger at or leave arbitrary locations.
My own app offers a “clock in reminder” feature that uses iOS geofencing. Before the iOS API allows my app to register any geofences, it must request location permission from the end-user. If they decline, those features don’t work. The iOS APIs refuse to register the geofences altogether.
So, how do sneaky apps or SDKs access location when they shouldn’t? It turns out iOS allows code in apps or SDKs to access your WiFi network details regardless of the location permissions granted to the app.
We can’t know for sure if that’s an oversight or a bug, but the fact is that anyone can use a Wi-Fi network BSSID database to locate users using those Wi-Fi details.
Interestingly, Android doesn’t allow apps to access Wi-Fi details without permission:
This iOS privacy loophole enables firms like Reveal Mobile to turn to shady practices to boost their bottom line. They can do it without the host app’s developer knowing and without the end-users knowing.
The solution isn’t removing apps like Accuweather.
Some have been calling for removal of the Accuweather app from the App Store, or even banning the developer’s account.
But that isn’t how markets work. If there’s money to be made selling user’s location data, someone will always be willing to step up and make that money.
The App Store could remove Accuweather, but then some other app will just take their place. Apple could make new rules to discourage apps from doing things like selling location data. But, some will always sneak through and probably make even more money if they’re one of just a few brave enough to try it.
This is playing whac-a-mole.
The solution isn’t removing apps that use Reveal Mobile.
Reveal Mobile doesn’t have any special access privileges to access Wi-Fi details. They’re just using public iOS APIs that any app or SDK maker can use. Apple could remove every app that includes the Reveal Mobile SDK, but then another location data monetization firm will just take their place.
If it’s more effective to make money in location data by falling back to Wi-Fi-based locations when location permissions have not been grated, someone will always be willing to step up and do that shady stuff to get those extra bucks.
The solution is to fix iOS to control access to Wi-Fi details appropriately.
This isn’t an app problem. It’s not a closed-source SDK problem. This is a platform problem.
iOS is promising to keep your location safe from apps if you’ve denied permission, but then letting them access it anyway. Wi-Fi network details are location data.
iOS must refuse access to Wi-Fi details to any process that does not have permission to access your location just as it denies access to GPS coordinates or geofences.
Apple knows how to do this.
We’ve been down this road before with things like device UUID and device MAC addresses. Return bogus values, crash the app, reject any app that contains a call to the relevant functions, whatever. Anything but letting any app access identifying Wi-Fi details without any permissions checks.
Some good apps might be caught up in a change like this. Maybe you use a networking diagnostics app and it needs to identify the Wi-Fi network in order to support it’s functionality. Too bad! That app should have to ask for location access permission and explain why it needs it, just like any other app that wants access to data that can be used to determine a user’s location.
Hopefully this is fixed in iOS 11, or iOS 11.1, and we don’t have to wonder how many other apps or SDKs are doing shady stuff like this for another year or more.