AccuWeather doesn't know how to issue a reassuring statement. The company attempted to quell users' concerns a day after security analyst Will Strafach published a blog post earlier this week explaining how the free iOS weather app collects users' GPS coordinates, the name and BSSID (or MAC address) of their Wi-Fi router, and whether their device has Bluetooth turned on or off. AccuWeather sends this data to a company called Reveal Mobile, which sells the information to retailers with the promise of helping "understand the path of a consumer and where they go throughout the day."
To put it more plainly: AccuWeather basically handed over its users exact locations —even when they opted out of providing location data — in the form of their router name and BSSID. These two data points can be traced to an exact location.
Per a joint statement, AccuWeather and Reveal Mobile say:
"If a user opts out of location tracking on AccuWeather, no GPS coordinates are collected or passed without further opt-in permission from the user."
Notice they don't mention the Wi-Fi network information. When they do bring it up, AccuWeather says it was "unaware the data was available to it" and that it never used this data. Again, this doesn't apply to Reveal Mobile.
Maybe AccuWeather truly didn't know that Reveal's SDK collected router names and BSSIDs, but did the team vet this SDK at all before including it in the iOS app? It says it removed the SDK from the app, but will reimplement it once it's "fully compliant with appropriate requirements." Who knows what this means. It also says that once that SDK is back in place, the "end result should be that zero data is transmitted back to Reveal Mobile when someone opts out of location sharing." The word “should” isn't comital or reassuring.
Your router info says a lot
In a nutshell, AccuWeather admitted to having an SDK in its app that collected users' router information without their permission, whether that was intentional or not is unclear. It also says it has no idea whether Reveal will adjust its SDK to stop that collection, but it "should" do so.
As a reminder, free apps often make their profit through data collection. This is typically outlined in a lengthy terms of service, which most users don’t bother to read thoroughly. A similar situation happened with Unroll.me earlier this year when users learned their data were being sold to Uber. But if you’re concerned about your privacy, you should probably ditch the AccuWeather app. Maybe stick with Apple's default weather app, or pay for one, like Dark Sky, which makes its money off app purchases.