UPDATED Sept. 27, 2018 with removal of location-tracking code from Homes.com app.
Some iOS fans felt rather smug a few weeks ago, when they discovered that Google was tracking users' location data even if those users had explicitly asked Google not to.
As it turns out, though, iPhone users may not be off the hook, either. If you allow Apple's mobile OS to monitor your location, at least 20 different apps will turn around and sell that information to data-hungry third parties.
This information comes from a report entitled "Location Data Monetization in iOS Apps," which is exactly what it sounds like. The researchers at Sudo Security Group, currently developing Guardian Mobile Firewall, "the first smart firewall for iOS," claim to have discovered 24 apps that currently gather or recently gathered explicit location data, which the apps then distribute to 12 data-monetization companies. (At least three of the 24 no longer collect this data.)
Furthermore, there are almost 100 apps tied to television stations across the United States that contain some of the same data-monetization code. The full list of all the apps are in the report linked to above.
The problem may be much more widespread than it seems. The researchers randomly examined apps found near the top of the rankings for free app in each iOS App Store category, and it's likely that many more apps the researchers didn't look at also collect and sell your data.
How to stop it
Since Guardian Mobile Firewall (which would presumably prevent things like this) isn't available outside of a closed beta yet, the researchers provided a few "potential mitigations." These are not guaranteed to work, but if you want your location data to be a little more secure, you could try them:
— Access Settings, Privacy and Advertising on your phone, and enable Limit Ad Tracking. This won't prevent your phone from transmitting data, but may make it harder for a third party to identify.
— Whenever you install a new app and see a "Location Services" dialogue, select "Don't Allow." (You may have to reinstall some apps and change their permissions, if you see them listed in the report.)
— Turn off Bluetooth, Wi-Fi and GPS whenever you're not actively using them. This will not only prevent apps from collecting some location data, but will prevent other devices from detecting your iPhone as you pass within range of their Wi-Fi networks and Bluetooth beacons. It will also give you some extra battery life.
— If you don't usually use any app that needs to know your location, go into Settings > Privacy > Location Services. At the top of the screen, there is a toggle switch to turn off Location Services for all apps.
— If you do need GPS running for some apps, then go to the same page as above. Below the switch to toggle off Location Services for all apps is a list of apps. Click on those that shouldn't need Location Services — games, photo apps, etc. — to see if any do use Location Services, and turn it off if they do.
— The report also recommends using a generic-sounding SSID, or network name, for your Wi-Fi network at home (e.g. "home-wifi-1"), because maps exist locating every hotspot in America that's detectable from a public road.
This step does come with its own set of risks, as your phone will then automatically connect to any other Wi-Fi network with the same name, so don't make the name too generic. (An old hacker trick is to set up a malicious Wi-Fi hotspot in a public place with an often-name like "AT&T Hotspot." Many phones and laptops will automatically connect to it.)
How it works
The exact method of data transmission is a bit complicated, but assuming that Sudo's report is correct, your iOS location data is, indeed, making its way to third parties, and bringing money into the app makers' company coffers.
Every app that Sudo researched collected Bluetooth LE Beacon Data, GPS longitude and latitude, and Wi-Fi network names and router MAC addresses. Some of the apps also gathered accelerometer information, battery status, cell network name, altitude, speed or timestamps from the phone, little to none of which can be blocked by turning off Location Services.
An advertiser who gets this data can tell not only where you were at any given time, but also how quickly you were traveling and potentially even how you got to a given location.
We won't list every single affected app here, but some of them are quite common. ASKFm, Homes.com, NOAA Weather Radar, PayByPhone Parking, Photobucket and Tapatalk are all examples of apps that transmit your data to moneymaking organizations, according to Sudo Security.
[UPDATE: On Sept. 14, Sudo Security updated its GuardianApp blog post with news that Homes.com had removed location-tracking code from the newest version of its iOS app.]
To be fair, there's nothing on this list that Apple runs itself, nor is there anything as big as a Facebook or an Instagram. But Sudo estimates that tens of millions of users may be unwittingly providing their location histories to third parties.
As for the third-party marketing-data companies, Sudo identified 12 of them, including AreaMetrics, Factual, InMarket, RevealMobile and Teemo, all of which collect user data and sell it to advertisers for a handsome profit.
Teemo, for example, makes $4 for every 1,000 users on which it reports. Apple has even forced at least one app (Perfect365) to remove all Teemo code, suspending it from the app store until the developers complied.
What's the big deal?
It's common for free programs to sell data to advertisers in order to stay in the black. However, the data is usually presented as a big conglomeration with individual details stripped out. Knowing that in this case, advertisers have access to specific location details, makes the whole project sound a little more unsavory.
Even so, data-monetization companies haven't historically been very interested in individual user locations. Trying to sell a product to one person is inefficient; learning about thousands of people and trying to customize an ad campaign to suit their tastes is potentially very lucrative.
The odds of an advertiser specifically tracking you to your home or office — especially since there's no indication they could match it with your name — seem infinitesimally small.
Still, it's good to be aware of where your data is going, and what the final recipients might do with it. If you can do without the 24 apps listed in the report — or the 100 or so local news apps that might run similar code — consider getting rid of them.