> Some random third-party app has to be running on your phone to detect beacons and send the data back
They don't have to be running. Here's my understanding (for iOS anyway):
1. Apps have the ability to subscribe to bluetooth callbacks from the OS, which is constantly scanning for them (about once a second, from memory). It will be something like, "wake me up when you detect that beacon with UUID ABCD123 is in range". ABCD123 would be the standard ID of a marketing company's beacons - there could be millions of them.
2. The beacon also have sub-IDs identifying the exact beacon being used. The marketing company will know which are where.
3. Whenever the beacon is in range, the OS pings the app with the data, which decides what to do with it in the same manner as a background data refresh. This could be something useful, like waking up to let you know your suitcase is nearby - but it could also be silently uploading that data to a server.
4. The software to do this is being bundled as a paid SDK in a great many seemingly-unrelated apps, such as weather apps.
5. This behaviour is not counted as location services in the OS, and may or may not be disabled even when bluetooth is "off" on the phone
Corrections welcome but I believe that's roughly what's going on.
I'd greatly appreciate something like Little Snitch on the iPhone so I could see which apps are doing this and delete them with extreme prejudice. Back in reality, I'm glad this is getting attention - at the very least Apple should be providing a list of apps requesting BT access, and indeed any network access over time.
I'm pretty shocked all this can go on in the background without permissions. With Apple adopting such a privacy-conscious stance, I really hope this gets their attention so beacon scanning requires explicit permission in the future (and separate from location services -- my weather app needs to know where I am, but certainly doesn't need to scan for beacons).
It certainly is. I knew about the mechanics of it but hadn't realised it was being so widely abused. I would like to see Apple come down on this swift and hard.
Third party paid SDKs! Those cunning bastards. AdTech really is the dregs.
They don't have to be running. Here's my understanding (for iOS anyway):
1. Apps have the ability to subscribe to bluetooth callbacks from the OS, which is constantly scanning for them (about once a second, from memory). It will be something like, "wake me up when you detect that beacon with UUID ABCD123 is in range". ABCD123 would be the standard ID of a marketing company's beacons - there could be millions of them.
2. The beacon also have sub-IDs identifying the exact beacon being used. The marketing company will know which are where.
3. Whenever the beacon is in range, the OS pings the app with the data, which decides what to do with it in the same manner as a background data refresh. This could be something useful, like waking up to let you know your suitcase is nearby - but it could also be silently uploading that data to a server.
4. The software to do this is being bundled as a paid SDK in a great many seemingly-unrelated apps, such as weather apps.
5. This behaviour is not counted as location services in the OS, and may or may not be disabled even when bluetooth is "off" on the phone
Corrections welcome but I believe that's roughly what's going on.
I'd greatly appreciate something like Little Snitch on the iPhone so I could see which apps are doing this and delete them with extreme prejudice. Back in reality, I'm glad this is getting attention - at the very least Apple should be providing a list of apps requesting BT access, and indeed any network access over time.