While analyzing network traffic from Samsung devices, I found the built-in Weather widget silently sending precise GPS coordinates to IBM’s api.weather.com — with a persistent user identifier and a hardcoded API key baked into the app.

Findings from 34 Samsung devices observed over 3 days:

- 2 hardcoded IBM Weather Company API keys shared across all devices (~6,000 requests captured)

- Precise lat/long (~100m accuracy) sent as URL parameters every 15-30 min

- Persistent device ID sent with every request — IBM can build longitudinal location profiles across sessions, days, weeks

- 4 Samsung services involved: `par=samsung_widget`, `par=samsung_pn`, `par=samsung_radar`, `par=samsung_notifications`

- One device made 1,740 requests in 3 days — enough for IBM to reconstruct where the user sleeps, works, and travels

Two real problems: Samsung sends a persistent device ID, letting IBM build your location profile over time. And you never opted in — it’s a pre-installed system app most users don’t know is running and can’t easily remove.

Verify the key is live yourself:

curl "https://api.weather.com/v3/wx/observations/current?geocode=40.71,-74.01&language=en-US&units=e&format=json&apiKey=793db2b6128c4bc2bdb2b6128c0bc230"

For context — in 2019, LA sued The Weather Channel app for secretly mining user geolocation for advertising. IBM settled. Samsung is now funneling the same type of data into the same IBM infrastructure via a pre-installed system app on ~260M devices shipped per year.