During preparation for a workshop at DEF CON in August on locating privacy leaks in network traffic, we discovered a number of applications on both iOS and Android that were broadcasting precise location data back to the applications’ developers—in some cases in unencrypted formats. Research released late Friday by Sudo Security‘s Guardian mobile firewall team provided some confirmation to our findings—and demonstrated that many apps are sharing location data with firms that market location data information without the users’ knowledge.
In a blog post entitled “Location Monetization in iOS Apps,” the Guardian team detailed 24 applications from the Apple iOS App Store that pushed data to 12 different “location-data monetization firms”—companies that collect precise location data from application users for profit. The 24 identified applications were found in a random sampling of the App Store’s top free applications, so there are likely many more apps for iOS surreptitiously selling user location data. Additionally, the Guardian team confirmed that one data-mining service was connected with apps from over 100 local broadcasters owned by companies such as Sinclair, Tribune Broadcasting, Fox, and Nexstar Media.
While some of these applications use location data from various sources as part of their service—several were weather applications, and one was a fitness tracker—others use location mostly “for providing you more relevant ads.” None explicitly stated that data was being shared with a third party.