Samsung Weather widget ships hardcoded shared IBM API keys + persistent user ID, sends precise GPS every 15-30 min

While analyzing network traffic from Samsung devices, I found the built-in Weather widget silently sending precise GPS coordinates to IBM’s api.weather.com — with a persistent user identifier and a hardcoded API key baked into the app. Findings from 34 Samsung devices observed over 3 days: – 2 hardcoded IBM Weather Company API keys shared across all devices (~6,000 requests captured) – Precise lat/long (~100m accuracy) sent as URL parameters every 15-30 min – Persistent device ID sent with every request — IBM can build longitudinal location profiles across sessions, days, weeks – 4 Samsung services involved: `par=samsung_widget`, `par=samsung_pn`, `par=samsung_radar`, `par=samsung_notifications` – One device made 1,740 requests in 3 days — enough for IBM to reconstruct where the user sleeps, works, and travels Two real problems: Samsung sends a persistent device ID, letting IBM build your location profile over time. And you never opted in — it’s a pre-installed system app most users don’t know is running and can’t easily remove. Verify the key is live yourself: curl “https://api.weather.com/v3/wx/observations/current?geocode=40.71,-74.01&language=en-US&units=e&format=json&apiKey=793db2b6128c4bc2bdb2b6128c0bc230” For context — in 2019, LA sued The Weather Channel app for secretly mining user geolocation for advertising. IBM settled. Samsung is now funneling the same type of data into the same IBM infrastructure via a pre-installed system app on ~260M devices shipped per year. submitted by /u/AdTemporary2475 [link] [comments]Technical Information Security Content & DiscussionRead More