You're browsing a news app on your phone in bed, alone, late at night. Did you know your physical location and IP address are being shared with the app maker?
A new study reveals that many iOS apps, including the Washington Post's own very popular news app, use “background app refresh” to transmit highly sensitive information like user location and IP address.
Here's one of many examples of first-party tracking from Washington Post reporter Geoffrey Fowler's privacy experiment, detailed in the piece.
“Yelp was receiving a message from my iPhone *once every five minutes* that included my IP address,” Fowler tweeted. “It says I found a 'bug.' But now it has months of granular data about me.”
You might assume you can count on Apple to sweat all the privacy details. After all, it touted in a recent ad, “What happens on your iPhone stays on your iPhone.” My investigation suggests otherwise.
IPhone apps I discovered tracking me by passing information to third parties — just while I was asleep — include Microsoft OneDrive, Intuit’s Mint, Nike, Spotify, The Washington Post and IBM’s the Weather Channel. One app, the crime-alert service Citizen, shared personally identifiable information in violation of its published privacy policy.
And your iPhone doesn’t only feed data trackers while you sleep. In a single week, I encountered over 5,400 trackers, mostly in apps, not including the incessant Yelp traffic. According to privacy firm Disconnect, which helped test my iPhone, those unwanted trackers would have spewed out 1.5 gigabytes of data over the span of a month. That’s half of an entire basic wireless service plan from AT&T.
Apple’s response is that the privacy policies for each of these apps are required to disclose with whom they share user data.
Adding a line like “we may share your data with 3rd parties” to the legalese does not provide protection that meets the claim implied by Apple’s marketing tagline: “What happens on your iPhone stays on your iPhone.”
It’s the middle of the night. Do you know who your iPhone is talking to? [washingtonpost.com]
[via techmeme]
Apple says "What happens on your iPhone stays on your iPhone."
My @washingtonpost privacy experiment showed 5,400 hidden trackers guzzled my data — in a single week.https://t.co/OkRhR6DpWB pic.twitter.com/d7tsKfYW3Q
— Geoffrey A. Fowler (@geoffreyfowler) May 28, 2019
From my iPhone privacy test:
Just while I slept at night, iPhone apps that sent my data to third-party tracker companies include Microsoft OneDrive, Mint, Nike, Spotify, The Washington Post and The Weather Channel.https://t.co/OkRhR6lP53
— Geoffrey A. Fowler (@geoffreyfowler) May 28, 2019
Worried about the privacy of your iPhone? Judging from the response to my @washingtonpost column today, lots of us are.
Here are 5 things you can do to limit app tracking: https://t.co/KDO9G9Ze5M
— Geoffrey A. Fowler (@geoffreyfowler) May 28, 2019
Some @washingtonpost readers are asking what we can do to stop apps from tracking us: https://t.co/OkRhR6DpWB
One solution is @disconnectme’s Privacy Pro, a tracker blocker for the whole iPhone: https://t.co/VYfbCBmoYV
Might it break some apps? Maker @patjack, can you explain?
— Geoffrey A. Fowler (@geoffreyfowler) May 28, 2019
That’s fair criticism. It’d be nice to see Apple crack down on trackers used by the apps themselves next. https://t.co/LjS5zr7WYq
— Guillaume Ceccarelli (@GCsVentures) May 28, 2019
BUT on the web you can see and/or block them entirely. you literally can't do either of those in native apps. https://t.co/ZnFkSqIvb4
— Owen Williams ⚡ (@ow) May 28, 2019
Somehow very fitting that a fear-based social network like Citizen is secretly giving away your personal information in violation of its own privacy policy https://t.co/UMDarmKiPv
— Casey Newton (@CaseyNewton) May 28, 2019
The mobile SDK ecosystem is a huge mess and the course-grained mobile permission system is not up to the task.
Google or Apple could really lead here with a mechanism for user notification and consent that is tied to static/dynamic analysis. An upside of the app store oligopoly. https://t.co/VCh9850VQr
— Alex Stamos (@alexstamos) May 28, 2019