back to article AccuWeather: Our app slurped your phone's location via Wi-Fi but we like totally didn't use it

A day after a security researcher criticized AccuWeather for collecting people's location data – even if its users refused to grant permission to do – the weather forecasting company and its ad tech partner Reveal Mobile denied violating permission settings while also revising the app's info-grabbing code. In a post on Monday …

  1. Oh Homer
    Linux

    An argument for simpler engineering

    Anyone brave enough to poke around in Android's internals will understand that it's an obscene, monstrous, convoluted mess, as far removed from the Unix Philosophy as you could possibly imagine.

    So, under the circumstances, fiascos like this don't surprise me in the least.

    Sadly the current alternatives are not much better, and mostly proprietary, although in the practical sense so is "Android", as actually implemented on most devices.

    I long for an Arch Linux smartphone, or similar, with a suitable UI (the latter part being the main stumbling block). Not just to extricate the user from Google's, Apple's and Microsoft's "walled gardens", but mostly just to have something that I can understand the internals of (and thus properly control, secure and maintain).

    1. Anonymous Coward
      Anonymous Coward

      "as far removed from the Unix Philosophy as you could possibly imagine"

      Any mobile OS following the so-called "Unix Philosophy" would be utterly unusable. It would go as far as Linux desktop went in the past seventeen years...

      Even a big user of *nix systems like Google is not so blind to not understand it. There's also a reason people at Google are big users of Apple desktop systems...

      1. Oh Homer
        Headmaster

        Re: '"Unix Philosophy" would be utterly unusable'

        You're conflating the Unix Philosophy, which is basically just a set of engineering principles applied to the field of software development, with an existing ecosystem of software that has, historically, failed to implement those principles in a manner that is stupidly simple to use by novices (mostly because software developers are engineers not nannies, and unlike commercial software operations Free Software developers don't have departments of non-engineers dedicated to dumbing-down their software for the masses).

        There is no particular reason why those principles could not be implemented in a novice-friendly manner, and indeed most mainstream distros have already accomplished that, indeed in many respects they're far easier to use than Windows, as a visit to any Windows forum will confirm.

        But certainly you're right in that if a typical Linux distro were simply ported straight onto a smartphone (and many already have) then the result would not really be a smartphone, it'd be a small portable device running desktop Linux, and largely unusable in the context of a smartphone.

        My wish is not for Arch Linux running on a pocket-sized device, which has already been done anyway, it's for a smartphone OS that adheres to the principle of engineering simplicity, removing the bloat and complexity that causes the sort of issues we see here, yet still provides a highly functional and intuitive UI that is accessible to everyone.

        The Unix Philosophy is not somehow antithetical to that goal, in fact it's absolutely essential to it.

        1. Stevie

          Re: '"Unix Philosophy" would be utterly unusable'

          Gotta say that while I'm not a phone app engineer I would have expected a phone o/s of any stripe to implement access to phone features and the gatekeeping of same to a core API of such robustness it couldn't be weasle-coded around or just ignored.

        2. Anonymous Coward
          Anonymous Coward

          @Oh Homer - Re: '"Unix Philosophy" would be utterly unusable'

          Actually there is a very particular reason why those principals are not implemented. This data slurping is not an oversight, it's the very reason why the application is built. All app developers are scratching their heads to find a useful enough function for you while they're purposefully collecting every piece of data they can get their hands on.

          1. John Smith 19 Gold badge
            Gimp

            "This data slurping is not an oversight, it's the very reason why the application is built. "

            Correct.

            And the fish rots from the head, IE Android.

            How many people use the "Iron" browser, described (loosely) as "Chrome without the snooping."

            1. Stevie

              How many people use the "Iron" browser,

              I don't know, and if they are telling the truth about "without the snooping" no-one else does either.

        3. Anonymous Coward
          Anonymous Coward

          "You're conflating the Unix Philosophy, which is basically"

          The reality is that the "Unix Philosophy" is just layers over layers of software accrued over forty years, some totally outdated - and which made *nix very unfriendly to anybody whose work wasn't to care after it all day long. *nixes, today, are just bloated as other OSes, and is some areas, even more so because of now very outdated designs made in a very different era that can't be thrown away because of some religious faith in them. Windows is becoming more and more unusable exactly because it's trying to ape Linux - all the powertshell cmdlets and application built upon them are just slow, ugly and difficult to use. A cleat API with ACLs on every exported function would be far better.

          Both Apple and Google had to turn their *nix layers into something usable for their target users. Apple did invest much more than Google - after all Google just needed something to fill the mobile space and support its slurping business there - quality of the OS was utterly secondary.

          1. Oh Homer
            Trollface

            Re: "Windows is becoming more and more unusable"

            Becoming?

      2. Warm Braw

        Re: "as far removed from the Unix Philosophy as you could possibly imagine"

        Any mobile OS following the so-called "Unix Philosophy" would be utterly unusable.

        Not utterly. Even Emacs gets used for productive work. Just not by people you'd want to share an office with.

    2. Trollslayer

      Re: An argument for simpler engineering

      Definitely - Google are so obsessed with showing how clever they make life hell when created smart products using Android.

      APIs keep changing, often with little or no benefits.

    3. Cuddles

      Re: An argument for simpler engineering

      "Anyone brave enough to poke around in Android's internals"

      What do Android's internals have to do with this article about privacy issues with an iOS app?

  2. Anonymous Coward
    Anonymous Coward

    And the company said it complies with all ... ad industry best practices.

    WELL THAT'S REASSURING

    1. Hero Protagonist

      Re: And the company said it complies with all ... ad industry best practices.

      As if "ad industry best practices" weren't an oxymoron

  3. Haku

    "...but we like totally didn't use it"

    Aaa

    AAAaaa

    AAAAAACHOOOOO!!!

    I'm sorry about that, I have a bullshit allergy.

  4. Anonymous Coward
    Anonymous Coward

    Why the OS can't enforce user selections?

    Is there any reason the OS can't block an API call when the user doesn't permit it? Are settings just "wishes" the application should gracefully fulfill? Why the OS doesn't keep a list of API calls permission, and return a f******f return code if an application tries to call a denied API - plus sending telemetry pointing at bad behaved applications?

    Mobile OS doesn't look more secure than their desktop counterparts. Especially when the OS maker gets a share of advertising....

    1. Anonymous Coward
      Anonymous Coward

      Re: Why the OS can't enforce user selections?

      Like if you call a "private" API call in iOS for example.

    2. hellwig

      Re: Why the OS can't enforce user selections?

      It can, but this data was not location data, it was network data.

      In order for the location APIs to function, the user must grant access. So if an app tries to get a GPS location, it can't if the access was not granted.

      However, the BSSID is just network data (information about the WiFi connection). It just so happens that this one piece of data can actually pin-point you to a house or business location thanks to public snooping done by many companies (including Google).

      So the BSSID does not tell someone where you are, but it can be used to find a location if you use a different service.

      Ideally access point manufacturers would implement some sort of rolling BSSID (just as cell phones can roll their MAC address) to prevent tying a AP to a static location. But considering how shitty the security is in general, I don't think it's a major priority of theirs.

      1. Anonymous Coward
        Anonymous Coward

        Rolling BSSID

        That would be pretty simple to implement in DD-WRT / OpenWRT...

        1. Anonymous Coward
          Anonymous Coward

          Re: Rolling BSSID

          > That would be pretty simple to implement in DD-WRT / OpenWRT...

          Sorry. You do realize these apps collect (B)SSIDs of all wifis in range? Everyone would have to do this for it to work. Not happening.

    3. Anonymous Coward
      Anonymous Coward

      Re: Why the OS can't enforce user selections?

      Should be a pretty simple 'if' statement at the beginning of any API that requires user permission. Maybe they missed this one, or they didn't think about the fact that router names / BSSIDs could theoretically be used to infer location.

      I'm not really worried about that, since while Google's wardriving captured the location of SSIDs all over until they were caught, AFAIK they never made that information public. I'm more concerned that Accuweather is grabbing information to forward to their advertisers, which is presumably intended to try to uniquely identify them.

      I dropped the Weather Channel app a couple years ago when they discontinued the ad-free 'Max' version so you had to see the ads, since Accuweather didn't have ads. A couple weeks ago they put in ads, and have a pay option to get rid of them I haven't taken advantage of yet. Maybe now I never will, and will look for a different weather app that doesn't try to slurp information in violation of Apple's rules, and either has no ads or provides a way to pay to remove them.

    4. Anonymous Coward
      Anonymous Coward

      @AC - Re: Why the OS can't enforce user selections?

      Yes, there is a reason why the OS can't enforce user selections: developers (starting with Google, Apple) do not want you to block their stuff. On my Samsung G7 phone I am not allowed to disable notifications from the weather app, option is greyed out. It doesn't matter that I hate receiving those notifications, somewhere an idiotic developer decided I must not disable it.

      1. Anonymous Coward
        Anonymous Coward

        Re: @AC - Why the OS can't enforce user selections?

        That's Samsung for you.

        Bloatware.

        Do they still ship the keyboard languages you can't remove?

    5. Anonymous Coward
      Anonymous Coward

      Re: Why the OS can't enforce user selections?

      Yep, Android already does this. runtime permissions for Access fine location (GPS) or course location (Mobile/Wifi). Granting fine grants course too.

      This problem is wholly an iOS, where permissions were an afterthought, and not included in the original OS design.

      The Google clickbait stuff near the end is just there to discredit the whole article.

      1. Anonymous Coward
        Anonymous Coward

        Re: Why the OS can't enforce user selections?

        If permissions in iOS were an afterthought, why did iOS allow you to set permissions years before Android did?

        Android has had similar permissions fails, so trying to use 'alternative facts' to claim this is a problem that can't affect Android is ridiculous.

        Seems most likely that iOS engineers simply didn't consider BSSIDs something covered by permissions, or they were covered by something else like a permission to access the network. No one would have ever considered their use as a location specifier if Google hadn't decided to surreptitiously wardrive the whole world.

  5. J. R. Hartley

    Bollocks

    The only way these companies will learn is if they get fined a large percentage of their turnover. If they go bust then that's just tough shit. That'll tighten them.

    1. samzeman

      Re: Bollocks

      I've always campaigned for percentage fines even for individuals. It's not a valid punishment to bankrupt one person for not picking up litter, then mildly inconvenience a rich person for crashing their yacht into my house or whatever.

      For companies the same applies. If google does something terrible, they shouldn't be able to shrug it off, and if a minor tech startup does something questionable, they shouldn't instantly be harpooned for it.

      Sorry, I think I have boats on the mind or something.

  6. Only me!

    Big Biz....and BIG Biz

    So if a "small" biz collects data OH panic..............Small biz, they are millions and a bit of change

    Billions................and millions as change

    Google, Facebook, Microsoft......that's fine

    mmmmmm

    Try opting out, never that simple...............try and opt of ads!

  7. joed

    any ideas on blocking cloud hosted scourge?

    I was going to - just in case - set up another dead ended route for revealmobile.com. But it turned out that dns query returns an non-compliant IP withing the range of google-cloud. I've blocked a swath but the solution is just more of a heavy-handed stop gap (and useless anytime something moved inside the cloud). Any better ways that can be used on consumer router?

    The market would definitely use some easy fix as MS, Google, FB and other tracking scum likes to hide behind live shield of their cloudy services that makes filtering impossible (without inflicting collateral damage).

  8. Anonymous Coward
    Mushroom

    complies with [ ... ] ad industry's best practices

    And what exactly might be these best practices of the ad industry?

    1. Don't get caught.

    2. If you do get caught, deny it.

    3. If you can't deny it, blame someone else.

    4. If that doesn't work, issue a word salad non-apology apology, promising change.

    5. Change nothing, proceed as before while pretending things have changed.

    6. Go back to [1].

    I'm thinking maybe a different approach is needed here, especially when it comes to the ad industry's best practices (Hi, Google!): presumed guilty until proven innocent.

  9. razorfishsl

    "if a user opts out of location tracking on AccuWeather, no GPS coordinates are collected or passed without further opt-in permission from the user,"

    Well there we are then, clearly it states GPS , whilst excluding all other tracking systems.

  10. adam payne

    "Other data, such as Wi-Fi network information that is not user information, was for a short period available on the Reveal SDK, but was unused by AccuWeather. In fact, AccuWeather was unaware the data was available to it. Accordingly, at no point was the data used by AccuWeather for any purpose."

    You were unaware of what your app was doing, very reassuring.

    1. Anonymous Coward
      Anonymous Coward

      That, unfortunately, is the nature of using frameworks.

      Client wants App to do A, ah, framework Y has A, so lets use that.

      Framework Y also does B to J by default, but as we were in a rush, we didn't read the docs, and never noticed.

      So we think our app just does A, when it actually does A to J, and thats what went live!

  11. Anonymous Coward
    Anonymous Coward

    Translation

    Statement: "In fact, AccuWeather was unaware the data was available to it."

    Translation. Shit! How did we miss that goldmine.

  12. scrubber

    You what?

    "Other data, such as Wi-Fi network information that is not user information"

    If it's coming from MY phone, it's user information.

    1. Frank Bitterlich
      Mushroom

      Re: You what?

      100% agree. "...that is not user information... (simply because we wrote in our TOS that all your base are belong to us)..."

      And also...

      Despite insisting it was unaware such data was available and thus went unexploited, AccuWeather said it would remove the Reveal Mobile SDK from its iOS app until it takes privacy seriously.

      Let me help you with that. By just uninstalling your spyware.

      AccuWeather is close to useless anyway, as the data st displays is often directly contradicting the data on their own website for that very same location. But then again, it looks like they are not really in the weather forecast business...

      Godspeed, AccuWeather.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like