“5K Trainer” and various other apps for iOS steal user’s location data for monetization

Research shared with 9to5Mac this morning showed that popular iOS apps you probably have installed on your iPhone, iPad or iPod touch have special malicious entitlements that send user location for data monetization firms.

The research firm ” Sudo Security Group’s GuardianApp” led by “Will Strafach” reports that:

“Several popular iOS apps have been used covertly collect precise location histories from tens of millions of mobile devices, using packaged code provided by data monetization firms.”

The data is said to be used for location monetization, by taking the user’s current location and sending it.

Apple’s App Store Policy clearly has this as a restriction, under the Legal 5.1.1 and Legal 5.1.2 policies.

 

Legal – 5.1.1 and Legal 5.1.2

The app transmits user location data to third parties without explicit consent from the user and for unapproved purposes.

Before these apps are removed, and Apple revises their strategy, the security firm recommends following these instructions.

In order to gain initial access to precise data from the mobile device’s GPS sensors, the apps usually present a plausible justification relevant to the app in the Location Services permission dialog, often with little or no mention of the fact that location data will be shared with third-party entities for purposes unrelated to app operation.

All location data monetization firms listed on this page collect one or more of the following data points:

  • Bluetooth LE Beacon Data
  • GPS Longitude and Latitude
  • Wi-Fi SSID (Network Name) and BSSID (Network MAC Address)

In addition, some firms also collect the following types of less sensitive device information:

  • Accelerometer Information (X-axis, Y-axis, Z-axis)
  • Advertising Identifier (IDFA)
  • Battery Charge Percentage and Status (Battery or USB Charger)
  • Cellular Network MCC/MNC
  • Cellular Network Name
  • GPS Altitude and/or Speed
  • Timestamps for departure/arrival to a location

GasBuddyMyRadar NOAAPayByPhone Parking,  C25K 5K Trainer appear to be the apps in question.

Appleosophy contacted Apple for clarification on this via phone, but Apple declined to comment on the issue.

This article will be updated with any new information when it becomes available.

 

Updated: Fixed layout issues.