June 05, 2020
Care19 shared with us on June 3rd, that the new version of their app (3.3) was no longer sharing users’ IDFA to Foursquare. Based on our review, we can confirm that we can no longer see the app sharing users’ IDFA to Foursquare.
Care19 was using Foursquare’s SDK, Pilgrim, to translate geolocation coordinates into precise venues for contact tracing purposes. Our research showed that Pilgrim was also collecting and sending Care19 users’ IDFAs unnecessarily to Foursquare. Care19 and Foursquare indicated to us that this data was collected automatically by using Pilgrim, and there was no way for developers to disable this collection.
After publishing our research, and in response to our concerns, Foursquare updated “Pilgrim” to permit developers to disable collection of a user’s IDFA, and prevent it from being shared with Foursquare. Please note that this is now just an option for developers to disable when using Pilgrim, and does not necessarily mean that other apps using Pilgrim won’t be sending data to Foursquare. Here are the changes to the code:
We salute Foursquare’s commitment to privacy by making this swift update, and we recommend all developers using Pilgrim to disable IDFA collection when possible.
We have remaining concerns regarding the following:
Jumbo Privacy will provide an update if and when our remaining concerns are addressed. You can contact us for any questions or comments by sending an email to [email protected].
You can read our initial research here, where we discover the flaw, and our first update here after Care19 made initial changes to their app and privacy policy.
Want to help us in our privacy research, or have any leads for us to explore? Contact [email protected].