AccuWeather Updates Its iOS App To Address Privacy Outcry

Taylor Hatmaker, writing for TechCrunch: Responding to privacy concerns, AccuWeather is out with a new version of its iOS app that removes a controversial data sharing behavior. Earlier this week, security researcher Will Strafach called attention to the practice in a post and users took to Twitter to announce their intention to dump the app in droves. "AccuWeather's app employed a Software Development Kit (SDK) from a third party vendor (Reveal Mobile) that inadvertently allowed Wi-Fi router data to be transmitted to this third-party vendor," the company wrote in a statement accompanying the app update. "Once we became aware of this situation we took immediate action to verify the operation and quickly disabled the SDK from the IOS app. Our next step was to update the IOS app and remove Reveal Mobile completely."

Reveal Mobile, who could have known...

[kbdd]

With a name like this, who could have known it would reveal information about mobile users?

I certainly did not see it coming!

Translation: "We're sorry we got caught"

[ausekilis]

Hey Mr CEO, you've still got a little egg on your face. Right there on your chin.

Re:

[Anonymous Coward]

[wipes his chin with a $100 bill] "Thanks bud."

Egg or...

[sjbe]

Hey Mr CEO, you've still got a little egg on your face. Right there on your chin.

I don't think that's egg. It's a little more like... ewwwww

Comforting

[Zeromous]

No mention of Android, for better or worse.

Re:Comforting

[bluefoxlucid]

Having seen the quality of programming most people put out, the "wtf this library does that?!" line sounds like exactly what happened.

You should see how much asinine shit I go back and un-create when I realize Docker or Ansible or some other such system has capabilities that I'd achieved with poorly-implemented, clunky scripts and clever playbook design. Programmers have it worse: they've got enormous, complex libraries, and they're universally bad at their jobs to the point that the Perl official documentation contained a Hello, World program in 5 lines that was remotely-exploitable--an obvious flaw if you know some obscure facts about how Perl works that even Larry Wall apparently forgot about. (programming r hard)

A lot of people think about programming like "I want to tell the computer to draw a house." No, you want to tell the computer to take a series of sensitive, highly-specific steps resulting in a figure shaped like a house on your screen. When you juggle user input, you have to figure out how that input can affect those steps, and ensure that the broad possibilities all fall into well-defined categories of outcomes, or else you have security vulnerabilities. When you use a third-party library, you're blindly using a pile of code that appears to do the right thing where you're looking, but who knows what it's doing in places you're not looking?

Rather than specifically-engineering each step along the way, programmers generally find a tool that does the job and verify that it produces the right result. That's reasonable enough, and this is what happens.

Re:

[bluefoxlucid]

Bah, I was trying to reply to this post [slashdot.org].

Re:

[LordKronos]

the Perl official documentation contained a Hello, World program in 5 lines that was remotely-exploitable--an obvious flaw if you know some obscure facts about how Perl works that even Larry Wall apparently forgot about

I would love to see that. Got a link? I tried googling but couldn't come up with anything.

Re:

[bluefoxlucid]

There was this guy [youtube.com] who pulled up a 20-year-old bug in Bugzilla that works because lists are processed by iterating as an expression (e.g. if you do $x = (1, 2, 3, 4, 5), you get $x=1; $=x2; $x=3... and end up with $x=5). As a result, if you put the same entry in a hash twice, you get the second one--and, along with a flaw in DBI, he managed to get admin access to Mozilla's bugzilla.

So everyone whined a lot, and said he's just dumb, and he came back a year later [youtube.com] and (at 21:45) shot a remote code execution

Re:

[JohnFen]

Probably worse. It seems very likely to me that what a developer puts into the product for one platform was also put into the product on other platforms.

The part I don't get

[93 Escort Wagon]

Is there a legitimate reason an application should be able to access your wireless network's name and/or BSSID?

We regularly see complaints from developers that Apple won't give them broad enough access to user data. However, on the face of it, this seems to be a case where an API can get access to data it has no good reason to need access to.

Re:

[Anonymous Coward]

Is there a legitimate reason an application should be able to access your wireless network's name and/or BSSID?

So the vendor can sell it and your location to Reveal Mobile.

Re:

[geekmux]

Is there a legitimate reason an application should be able to access your wireless network's name and/or BSSID?

We regularly see complaints from developers that Apple won't give them broad enough access to user data. However, on the face of it, this seems to be a case where an API can get access to data it has no good reason to need access to.

The semi-legitimized reason was to gather location data to tailor the app and provide you with local weather info.

That activity became offensive only because they were caught selling it to a 3rd party.

What I fail to understand is why the hell they didn't just program the app to ask for GPS access. Plenty of other apps do, and consumers happily hand that shit out all day long.

Re:The part I don't get

[JohnFen]

That activity became offensive only because they were caught selling it to a 3rd party.

I disagree. I think it became offensive when the app went out of its way to gather location information after the user specifically and intentionally disabled location information.

Re:

[geekmux]

That activity became offensive only because they were caught selling it to a 3rd party.

I disagree. I think it became offensive when the app went out of its way to gather location information after the user specifically and intentionally disabled location information.

We would live in a world seething with wisdom and intelligence if people were actually offended about corporations fucking them over. Laziness, ignorance, and stupidity paint the reality we have instead.

Re:

[Wolfrider]

--I wish I had mod points... +1 Insightful

Re:

[JaredOfEuropa]

I used this in a home automation app, where having the connection set up as fast as possible adds a lot to the user experience. The app remembers your home's SSID, and when you are on your home wifi it will hit the local address. When you are on LTE or on some other Wifi (different SSID), it'll hit the remote access gateway service.

Sure, another strategy is to just try both connections at once, but I didn't want to hit the remote service when not needed.

Re:

[JohnFen]

Is there a legitimate reason an application should be able to access your wireless network's name and/or BSSID?

Sure. There are tons of useful (to the user) things that can be done if you have that ability. If I couldn't make or use apps that accessed that information, I'd consider the platform broken.

The key, though, is that the user must remain in control and be able to prevent apps from getting that (or any) data if they choose.

Re:The part I don't get

[plover]

The part I don't get is why people use AccuWeather. The National Weather Service has extremely high quality forecasts right there on their web page, and if you visit http://mobile.weather.gov/ [weather.gov] in your iOS device and tap "Share/Add To Home Screen", it's wrapped up behind an icon and "acts" like an app. As a plus, you've already paid for them with your taxes. And they have no privacy violating trackers on their page, not even a google analytics link.

Most importantly, you're not feeding some shitty company who has been trying to make the National Weather Service lock up our public weather data, and who bought and paid for a U.S. senator for exactly that purpose.

Re:

[Wolfrider]

--Thank you for that, gonna use it right away :)

Re:

[LordKronos]

I've never tried the mobile.weather.gov so I just checked it out. Yes it has the basic information, but it's not presented nearly as nice as accuweather.

Try to look at the forecast for the next 5 days to see high/low temps. With weather.gov, you need to scroll several screen because the high and low temperatures are each in a big block that takes 1/4 the screen, and your eyes have to wade through the day name, the overall condition name ("mostly sunny", "partly cloudy", etc) and a text description that is

Re:

[CanadianMacFan]

I agree with your points and wanted to add the following.

Having a web page isn't very handy to quickly look up the weather. I like having an app that I can add a widget to the notification centre and glance at to see the temperature when my phone is locked. I know that there are, or at least were, apps that let you embed pages as widgets but then I have to buy another app. And Apple limits how much space is shown so if the website doesn't show the information you are after you'll have to unlock the phone to

naive

[supernova87a]

I mean, maybe I'm just naive, but don't most people just assume that your phones/apps are leaky and not rely on them to say that they're protecting your privacy? I think it's worse that you act based on the assumption that your info is not being collected/transmitted/sold/leaked to others...

Re:

[Anonymous Coward]

This is wise counsel but we should still make others aware when we know it is going on.

Re:

[Anonymous Coward]

This is wise counsel but we should still make others aware when we know it is going on.

This is but one story out of 100 that has come along in the last few years regarding privacy and data leaks.

How many licks does it take to get to the rock-filled center of the average dumbass consumer?

Nope

[sjbe]

I mean, maybe I'm just naive, but don't most people just assume that your phones/apps are leaky and not rely on them to say that they're protecting your privacy?

No, most people don't give the matter a second thought.

Re:

[JohnFen]

I mean, maybe I'm just naive, but don't most people just assume that your phones/apps are leaky and not rely on them to say that they're protecting your privacy?

They should, but I think most people just don't think about it at all.

I consider all programs that I have not written to be security risks, personally. That's why I firewall off every piece of software by default.

Re:

[Threni]

You're special. Most people don't give a shit if the app they use makes a note of where they are more accurately than they need to. Because the phone already knows exactly where you are, and people know this, and they assume the information is available. If they gave a shit they'd not use smartphones, or they'd be more careful.

Re:

[dmomo]

Sure, but that doesn't mean you need to be complacent when you see it happening.

Surprise!

[tsqr]

Once we became aware of this situation

Translation: once we became aware that we'd been caught doing this

Sooo tired of this...

[Anonymous Coward]

Company look at it... "We can make more money by screwing our customer over"
"Can we get caught?"
"Yes bt its remote and need very talented people to find out"
"Ok do it, we'll handle it if we get caught"

IM TIRED THAT MONEY RUNS EVERYTHING....
THIS NEED TO CHANGE

What about Android?

[oldmacdonald]

Did they fix the Android app too?

As George W. Bush once said:

[Oswald McWeany]

As George W. Bush once said:

“There's an old saying in Tennessee — I know it's in Texas, probably in Tennessee — that says, fool me once, shame on — shame on you. Fool me — you can't get fooled again.”

I certainly wouldn't trust AccuWeather again.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[JohnFen]

I don't know about AccuWeather, but plenty of companies do a cost/benefit calculation to decide whether or not they're going to do something terrible. If they figure that they'll end up making more money than they'll lose when they get caught, then it's full steam ahead.

Granularity controls

[bobstreo]

There should be controls for everything an app can access built into all these portable computers. You should be able to lock out application access to location/bluetooth/wifi/contacts...

Otherwise, back to a flip phone. They're fine for texting and making/receiving phone calls. Not so good for youtube or facebook, and that's a good thing.

Re:

[Archon]

Android: Settings > Apps & notifications > App permissions
iOS: Settings > Privacy

Sure you didn't

[DaMattster]

"Once we became aware of this situation we took immediate action to verify the operation and quickly disabled the SDK from the IOS app. Our next step was to update the IOS app and remove Reveal Mobile completely." - IIRC, they denied it at first.

Re:

[freeze128]

So AccuWeather loses points for "not being aware" of things that are obvious.

Re:

[sit1963nz]

What they actually meant was

"Once we became aware the reputable 3rd party discovery of this situation we took immediate action to Deny and obfuscate the operation and quickly cast doubt on the SDK from the IOS app. Our next step was to fess up , go into damage control and claim we did not know and then update the IOS app and remove Reveal Mobile completely"

Comcast injects pop-ups

[tepples]

nothing stops the user from changing the SSID on their home network or owning their own router.

Other than that if you subscribe to home high-speed Internet in a Comcast territory, and you're not renting Comcast's latest gateway, Comcast will inject pop-up ads for its gateway into randomly chosen HTML responses in cleartext HTTP connections that your PCs, tablets, and smartphones make. (Source [consumerist.com]; Source [gizmodo.com]; Source [digitaltrends.com]) Is this a reason to break down and rent Comcast's gateway? Or to boycott sites not available through HTTPS? Or to ditch Comcast and instead pay nearly 100 times more per GB for satellite or home