Several iOS apps found collecting location and other sensitive data without users’ knowledge

• The stolen information includes Bluetooth LE Beacon Data, GPS longitude and latitude, Wi-Fi SSID and BSSID.
• The apps also collected less sensitive information such as battery charge performance and status, cellular network name and more.

Security researchers with the GuardianApp project have discovered over dozens of popular iPhone apps being used to secretly collect users’ location data. The researchers found that these apps were quietly sharing the accurate location histories and other sensitive information of millions of users with third-party data monetizing firms.

The stolen information includes Bluetooth LE Beacon Data, GPS longitude and Latitude, Wi-Fi SSID and BSSID (the MAC address of the wireless access point). The apps also collected less sensitive information such as accelerometer data, battery charge performance and status, cellular network name and more - all without explicitly informing the user.

In most cases, the data collection occurred via package tracking code that is embedded by app developers in the iOS apps.

“In many cases, the packaged tracking code may run at all times, constantly sending user GPS coordinates and other information,” said the GuardianApp team.

Users unaware of data collection

During the installation or the usage of these apps, it appears that they give a valid reason for requesting access to users’ location. However, these apps don’t mention the sharing of the data with third-party entities.

“In order to gain initial access to precise data from the mobile device’s GPS sensors, the apps usually present a plausible justification relevant to the app in the Location Services permission dialog, often with little or no mention of the fact that location data will be shared with third-party entities for purposes unrelated to app operation,” added the researchers.

GuardianApp researchers listed around 24 apps that contain code from location data monetizing firms including ASKfm, C25K 5K Trainer, Code Scanner by ScanLife, Coupon Sherpa, GasBuddy and Homes.com. The report also contains a list of firms that are making a profit by collecting users’ location data.

In addition, the researchers have also published the names of 100 regional news apps that contain code from Reveal Mobile, a leading mobile audience data platform for media properties.

The researchers recommended a few mitigation steps to stay safe from such potential data theft. This includes turning off Bluetooth when it is not in use, clicking on ‘Don’t Allow’ button if an app’s location service permission contains ‘See privacy policy’ or similar text. It is also advisable to use a simple name for the SSID of your home Wi-Fi.