Study: Popular iOS apps use 'background app refresh' to send your location and IP address

Originally published at: https://boingboing.net/2019/05/28/study-popular-ios-apps-use.html

…

Can any one point to anything similar with Android (because I’m lazy and didn’t google it)?

Is there a way (short of going into each app and turning off location permissions) to circumvent this?

Don’t own a smartphone.

There is no public API available developers to get a user’s name. There are a few “hacks”, such as getting the phone’s name (i.e. “John Smith’s iPhone” => “John Smith”). But that’s a very fragile hack.

If your name is being transmitted by a specific app, then it’s typically obtained via a third party service that has asked you to specifically enter your name, i.e. when you sign up for an account, or when you log into an account and the app retrieves your credentials from a remote server.

IP addresses, including the currently assigned device ip and more importantly gateway (router) ip, have always been available via various networking APIs. Typically the gateway ip can correlate to your location via data provided by your ISP, but this isn’t limited to iOS apps – i.e. Google maps does this, and thousands of other services.

GPS location is only available to an app if the user has explicitly granted permission for that app to do so. Most apps will offer the user the choice to access GPS data only while the app is being used. Beware of any app that doesn’t allow you this choice (Facebook Messenger comes to mind). That is to say, if you only allow the app access to GPS data while you’re using it, that app can’t then run in the background while you sleep, find your location, and transmit it.

And I doubt very much this is only an Apple iOS issue.

Electronic privacy is soooo 90s. Welcome to the modern surveillance state!

Yeah, I’d be mostly worried about apps which I have granted location access (because they have some legitimate uses for it) also using it for illegitimate purposes. Also, the IP address thing, even though that’s fairly coarse-grained information, could pretty easily be used over time to learn when you’re at home/work/other places you frequent.

You’re browsing a news app on your phone in bed, alone, late at night. Did you know your physical location and IP address are being shared with the app maker?

IP? Yes. That’s is how the internet works after all. Rough location? Yes, from IP because again, internet. Exact location? Yes, if I gave them permission to access my location, I’d assume they use my location.

There are certainly companies which sell your data. There are plenty that use third-party tracking apps because they do analytics for them. Plenty of those still keep the data private. The only way to avoid them is to simply not use software from companies you don’t trust and don’t give personal information to them.

I’m not sure why there is a different expectation for phone apps than computer software or a website or a random meatspace company. It sounds like we need to put out a general pamphlet explaining that giving personal information to software means giving data to a company.

Why would someone give a random app background refresh permission in the first place?
Just on basis of power consumption alone.

Turn off the GPS?

This story reminds of every story about Facebook collecting/sharing data when they said they wouldn’t collect/share data.

Ha ha I’ve had this “background app refresh” setting disabled for YEARS. I only want updates when I trigger updates.

On iOS, you can turn off “background app refresh” either globally or on a per-app basis; that means apps can’t communicate with the outside world except when you are actively using them.

If you do allow that, then apps can freely talk to their vendors, and those vendors can be passing your data to whomever they want (Apple only allows data to be shared with named advertisers with the user’s “consent”, but they won’t necessarily know if a vendor is breaking those rules). If you have allowed the app to access your location / contacts / etc., then it could be sharing any of that (again, Apple can’t necessarily enforce its putative rules about this).

For those without access to the Washington Post, yes, the Apple angle is largely spurious (Android is almost certainly worse), and the article seems like it may have been written by a PR for a fishy-sounding “privacy” app.

But yeah: when you supply information to an app or a web page, the publisher is getting that info, and if the app has ads then advertisers are getting it too. There will never be a magic solution that lets you share data with a company yet also keep that data private.

Incorrect, on both counts actually.

Oh wait I thought you said CAN’T. Yes. You are correct. You CAN and SHOULD do this!

Except in cases where you want it. I like that new episodes of podcasts get downloaded in the background so I can listen in the subway/on a plane/in rural areas, for example.

It would be nice if this worked the same as location or camera access, where it is not allowed by default and an app can prompt me to enable it (once) and provide a justification for why I will benefit from doing so.

It does seem odd this is turned on by default (rather than having to agree to a modal dialog as with other app privileges (maybe they were concerned about having too many of those popups)). As I understand it, “background app refresh” is distinct from letting an app finish an active download in the background, from updates to the app itself, and from push notifications; so it’s not that valuable to the user in most cases.

Yeah, that’s actually the only example I could think of. And yet I count 74 apps on my phone that want to be allowed to do this. E.g. Kindle wants to “refresh” itself in the background, yet its one legitimate reason for doing so – downloading new books automatically – isn’t even an option in the Kindle app.

PS Discourse Hub is one of those 74 apps

Settings > General > Background App Refresh > OFF

Sounds like the original article was written with sensationalism in mind.

Sure would be lovely to see a full list of the guilty apps since the WaPo paywall is unbreakable.
And I presume also behind the paywall is some sort of fix? Is force quitting the apps enough? And, for curiosity, how do these apps compare to Facebook’s hoovering?

the only thing about perfection is you have to be on it come what may
sh1t happens and I fancy this is now a new meme I have to hear about so…

There are a lot of reasons you would do this. An example: you are posting a picture to your favorite social media service and decide to check your mail. Before iOS allowed any kind of background work, the picture upload would stop while you were in another app. By allowing the app to work in the background, the upload continues.

A few more examples: you’re receiving notifications for any bank account transaction over $100. Or you’re logging your steps in an exercise tracking application. Or you’ve got some helpful app that takes some kind of action on changes to GPS proximity.

As for power consumption, Apple provides its developers a whole lot of APIs and best practices to avoid draining the battery. For instance, they provide an API for waking the app on GPS proximity changes – the receiver is running in a low power mode and only checking position changes periodically and it wakes the app only if it meets the criteria the app has specified (“wake when within 20m of a certain point”); the app does not have to sit in the background polling the GPS.

The big takeaway I think from this discussion is that “background app refresh” should be OFF by default, and the user should be asked to opt-in per app.

^^^ THIS ^^^

It seems like someone posted a PDF of the article here. It’s quite something in its own right.

The “fix” suggested in the article – downloading the profoundly suspect app for which it is an advertisement – may or may not work but seems a lot harder than the solution mentioned by @heligo above.