iPhone apps caught selling user data to monetization firms

iPhone X

We typically associate iPhones with privacy, but a new study has found that a large number of iOS apps are secretly sending sensitive information to data monetization firms. Most are collecting precise location histories from tens of millions of handsets via a packaged tracking code which constantly runs in the background to track GPS coordinates.

According to the team behind GuardianApp, these popular apps trick users by presenting them with a privacy request that’s relevant to the app. For example, a real estate app called Homes asks for location info in order to find nearby houses. However, what’s not disclosed is that this data is sent to a third-party firm called AreaMetrics every time the app is opened.

Guilty App Names

All these data monetization firms apparently collect information like Bluetooth LE Beacon Data, GPS Longitude and Latitude, Wi-Fi SSID (Network Name), and BSSID (Network MAC Address). Some even keep an eye on an iPhone’s Accelerometer, Advertising Identifier, Cellular Network Name, Timestamps for departure/arrival to a location, and Battery Charge Percentage and Status.

The study has so far collected the names of 124 apps which contain code from location tracking companies and 12 known location data monetization firms. The former includes applications like C25K 5K Trainer, Coupon Sherpa, GasBuddy, Mobiletag, Moco, My Aurora Forecast, MyRadar NOAA Weather Radar, PayByPhone Parking, Perfect365, and Photobucket.

Also Read: 2018 iPhones might be more expensive than you think

The report suggests a few mitigations which could reduce how much data these apps collect. One is to head to Settings > Privacy > Advertising and toggle on Limit Ad Tracking. If a Location Services pop-up has a “See privacy policy” text, just hit the “Don’t Allow” option.

It would also be a good idea to switch off Bluetooth when it’s not being used and choosing a generic name for the SSID of a home Wi-Fi router. You can see the complete list of apps and data monetization firms here. The page also includes the hostnames for the latter, in case you want to directly block these connections.