According to Sudo Security Group’s GuardianApp, an effort led by security researcher Will Strafach, several popular iOS apps “have been used to covertly collect precise location histories from tens of millions of mobile devices, using packaged code provided by data monetization firms.” The security report claims that in some instances these apps have been used to send constantly updated GPS coordinates to companies that make money from acquiring and selling customer data.

iOS gives users granular control over which apps have access to location data, but affected apps included in the security report rely on location for features like local weather reports and accurate fitness tracking. Users should reasonably expect to grant these apps location access without data monetization firms acquiring shared data.

GaurdianApp’s research points to 12 data monetization firms that collect user data including RevealMobile which has previously been accused of over collecting location data through popular weather apps. The report adds that nearly 100 regional news apps have previously used code from RevealMobile that shares information with the data monetization firm.

All location data monetization firms listed on this page collect one or more of the following data points:

  • Bluetooth LE Beacon Data
  • GPS Longitude and Latitude
  • Wi-Fi SSID (Network Name) and BSSID (Network MAC Address)

In addition, some firms also collect the following types of less sensitive device information:

  • Accelerometer Information (X-axis, Y-axis, Z-axis)
  • Advertising Identifier (IDFA)
  • Battery Charge Percentage and Status (Battery or USB Charger)
  • Cellular Network MCC/MNC
  • Cellular Network Name
  • GPS Altitude and/or Speed
  • Timestamps for departure/arrival to a location

Apps that contain tracking code according to the security report include 24 notable apps like GasBuddy, MyRadar NOAA, and PayByPhone Parking as well as a run tracking app C25K 5K Trainer. Each of the affected apps are available on the App Store and have received thousands of customer ratings that show their popularity.

For Apple’s part, the App Store has policy that has been actively enforced to prevent apps from misleading users into granting location data access for the purpose of sharing it with third-parties.

For now, users can either avoid apps that may be using customer data for nefarious purposes or use Apple’s built-in tools for controlling which apps have access to location data. GuardianApp’s report offers these steps to potentially mitigate sharing user data with third-party firms:

The app transmits user location data to third parties without explicit consent from the user and for unapproved purposes.

Apple did not respond to request for comment when asked about the new research report. GuardianApp’s security report can be read in full at GuardianApp.com.

  • Go to Settings > Privacy > Advertising and turn on Limit Ad Tracking in order
  • to make uniquely identification of your iOS device more difficult for location trackers.
  • Press “Don’t Allow” if a Location Services permission dialog contains “See privacy policy” or similar text.
  • Use a very generic name for the SSID of your home Wi-Fi router (eg. “home-wifi-1”).
  • Turn off Bluetooth functionality when it is not in use.