Research shows more than two dozen popular iOS apps send user data to third parties

Recently, a new study claims that more than two dozen iOS apps, including weather and fitness trackers, contain a code that secretly shares users' locations and other information with data-for-profit companies. Despite Apple's clear policies on privacy and protecting user data, these apps have been available on the App Store. When using these apps, users can take steps to reduce the risk of data exposure - or you can avoid using these apps.

According to a report by Sudo Security Group's GuardianApp, a project led by security researcher Will Strafach, some popular iOS apps "use wrapper code provided by data-fortifying companies to secretly collect precise location histories of tens of millions of mobile users." In some cases, the apps are also used to continuously update GPS coordinates to the companies so they can profit from harvesting and selling customer data, the report said.

The iOS platform allows users to control which apps can access location data, but the apps involved in the security report rely on local weather reports and accurate fitness tracking tools to obtain location information. Users may feel that it is reasonable to grant these apps location permissions without considering that data profit companies will obtain the shared data.

To gain initial access to precise data from a mobile device’s GPS sensor, apps typically provide an app-specific justification in the location services permissions dialog, with little or no mention of the fact that they are sharing location data with third-party entities for purposes unrelated to the app’s operation.

All of the location data monetization companies listed on this page collect one or more of the following data:

• Bluetooth LE beacon data
• GPS longitude and latitude
• WiFi SSID (network name) and BSSID (network MAC address)

In addition, some companies collect the following less sensitive types of device information:

• Accelerometer information (X-axis, Y-axis, Z-axis)
• Identifier for Advertising (IDFA)
• Battery charge percentage and status (battery or USB charger)
• Cellular Network MCC / MNC
• Cellular network name
• GPS latitude and/or speed
• Departure/arrival timestamp of a location

According to the security report, the apps containing tracking codes involve 24 well-known apps, such as GasBuddy, MyRadar NOAA, PayByPhone Parking, and running tracking app C25K 5K Trainer. Each affected app can be downloaded on the App Store and has thousands of user ratings, which is enough to show its popularity.

GaurdianApp's research revealed 12 data-for-profit companies that collected user data, including RevealMobile, which was previously accused of collecting user location data through popular weather apps. The report also added that about 100 regional news apps had used RevealMobile's code and shared information with the data-for-profit company.

For its part, Apple has been actively implementing App Store policies to prevent apps from misleading users into granting location data access permissions to share with third parties. When an app transmits user location data to a third party without the user's explicit consent or for an unapproved purpose, it violates Apple's policies.

Currently, users can avoid apps that collect user data for malicious purposes, or use Apple's built-in tools to control which apps can access location data.

When asked about the new research, Apple did not respond to requests for comment.