Skip to main content

Filed under:

iOS address book privacy: app developers and Apple respond

After a series of high-profile iOS apps have been revealed to surreptitiously upload address book information to their servers, Apple says it plans to require apps to get user approval before collecting data.

  • Dieter Bohn

    Mar 17, 2012

    Dieter Bohn

    OS X 10.8 Mountain Lion Developer Preview 2 released; asks permission for contact access

    os x about 1020
    os x about 1020

    Apple is working towards the summer release of OS X 10.8, aka Mountain Lion, and to that end it's released a 2nd Developer Preview to, well, developers. The change log shows that there are still a lot of unfinished edges in the OS, from Game Center to AirPlay to the Notes app. However, one thing you wouldn't know until you ran it is that there's a new privacy feature. Dustin Curtis discovered that when an app attempts to access your contacts, OS X pops up a dialog box asking your permission. Once you grant it, there's a new section in the Security preferences that lists all the apps you've granted permission to.

    Obviously, the feature is a response to the privacy issues that were raised last month with iOS, which allows any app to access contact information without permission. Apple promised that it would release an update to iOS that would require explicit permission, but made no such promise for OS X. Desktop operating systems typically offer a much wider array of permissions to apps, though Apple is taking steps to lock that down a bit in Mountain Lion. App sandboxing is one step, and now this permissions dialog is another. As for iOS, Apple hasn't yet said which version would implement the contact permissions dialog, but it wasn't in the iOS 5.1 version the company released on March 7th.

    Read Article >
  • Dieter Bohn

    Mar 8, 2012

    Dieter Bohn

    Path will protect private user data with 'hashing' in next release

    Path iOS Update
    Path iOS Update

    Path's big 2.1 release today comes with a promise of another update coming shortly: version 2.1.1. The extra .1 on the end represents Path's intention to add "hashing" to any contact data it collects. The move is obviously a response to the fact that Path experienced the brunt of the contact collection drama last month, when it was revealed the the company was collecting address book information from its users. In response, Path deleted the data, apologized, updated its app to request permission, and has begun working with TRUSTe to get privacy certification (it's not quite there yet). Path is also taking a bit of a lead in trying to continue the conversation about mobile app privacy, working with Lookout Mobile Security. Path was definitely not the only app that was collecting this information, but it's still not known how many other apps have (or still are) collecting contacts from users.

    One of the ideal solutions to collecting address book data is to anonymize it before it's uploaded, a process called "Hashing" that still allows for contact matching but doesn't reveal the content of the data to anybody. No word yet on when the .1 update will come.

    Read Article >
  • Dieter Bohn

    Feb 15, 2012

    Dieter Bohn

    Apple: iOS to require explicit permission for contact data in 'future software release'

    iOS contacts mitm 1024
    iOS contacts mitm 1024

    The decision is a fairly obvious one and a good move to protect users private data. Apple already does a similar thing with location data, requiring apps to present an iOS system-level pop-up dialog box when they want to know your location. Unfortunately, Apple didn't directly speak to other private data on iOS like calendar information.

    Read Article >
  • T.C. Sottek

    Feb 15, 2012

    T.C. Sottek

    Congress sends Apple letter filled with questions about iOS address book privacy

    Data Privacy 2 (Verge Stock)
    Data Privacy 2 (Verge Stock)

    The iOS address book row is no longer just a tempest in the internet's teapot: members of the US Congress have just sent a letter to Apple, demanding answers about its app approval process and the privacy and security of data that's accessed or transmitted by iOS apps. The letter follows a wave of complaints and bickering this week that ignited with the revelation that Path was uploading data from iPhone address books without asking for explicit permission. Path has since apologized to its patrons and purged their personal data, but as we've independently confirmed, the problem presented by the faux pas persists — any iOS app has complete access to an ample amount of data that's on your iPhone, including the address book and calendar. And any iOS app can, without getting your permission, upload all of that information stored in your address book to its servers.

    Congress says that the Path incident "raises questions about whether Apple's iOS app developer policies and practices may fall short when it comes to protecting the information of iPhone users and their contacts." So it's asking Apple to describe all of its iOS app guidelines concerning data privacy, how Apple determines whether apps meet those criteria, and to describe what kind of data the company thinks is private. Other questions get straight to the point:

    Read Article >
  • Dieter Bohn

    Feb 15, 2012

    Dieter Bohn

    iOS apps and the address book: who has your data, and how they're getting it

    iOS contacts mitm 1024
    iOS contacts mitm 1024

    Over the course of the past week, a firestorm has erupted in the world of iOS apps, thanks to the discovery that Path was uploading data from your iPhone's address book without asking for explicit permission. Upon opening the app and registering, Path automatically uploaded your contact data in order to "find friends" that you might want to connect to. Path has since apologized and updated its app, but the problem exposed by the episode remains.

    Stated simply: any iOS app has complete access to a large amount of data stored on your iPhone, including your address book and calendar. Any iOS app can, without asking for your permission, upload all of the information stored in your address book to its servers. From there, the app developer can either use it to help find your friends, store it in perpetuity, or do any number of other things with it.

    Read Article >
  • Nathan Ingraham

    Feb 8, 2012

    Nathan Ingraham

    Path CEO apologizes for address book uploading, deletes all user data, and updates app with privacy controls

    Path iOS Update
    Path iOS Update

    Path has moved quickly to try and quell the backlash stemming from the social networking app's practice of uploading users' address books to the company's servers. CEO Dave Morin just posted a lengthy apology on Path's blog, saying "we are deeply sorry if you were uncomfortable with how our application used your phone contacts." The company has also just released an update to the iOS app that allows users to opt in or out of sharing their address book with Path's servers. As he did yesterday, Morin states explicitly that Path only uses your address book to improve the quality of the app's "Add Friends" feature and also to notify you when one of your contacts joins Path, but he also acknowledges that users "should have control when it comes to sharing your personal information."

    In addition to the updated app, Path has also deleted all stored address books from its servers, so that any current users who don't want to share their information won't need to contact the company to have it removed — Morin called this action "a clear signal of our commitment to your privacy," and indeed we didn't expect the company to take such a measure yesterday when it said users would need to email Path to have their data removed. Despite the recent outcry, it's worth noting that the app has done this since launch and weathered some backlash already. Still, it's good to see a company respond quickly to users' concerns over the privacy of their personal information.

    Read Article >
  • Adi Robertson

    Feb 7, 2012

    Adi Robertson

    Path iOS app uploads your entire address book to its servers

    Path iPhone
    Path iPhone

    When developer Arun Thampi started looking for a way to port photo and journaling software Path to Mac OS X, he noticed some curious data being sent from the Path iPhone app to the company's servers. Looking closer, he realized that the app was actually collecting his entire address book — including full names, email addresses, and phone numbers — and uploading it to the central Path service. What's more, the app hadn't notified him that it would be collecting the information.

    Path CEO Dave Morin responded quickly with an apology, saying that "we upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and efficiently as well as to notify them when friends and family join Path. Nothing more." He also said that the lack of opt-in was an iOS-specific problem that would be fixed by the end of the week. Looking at the Android app, it does warn you that the app will pull contact information, although you still can't install without giving Path carte blanche to use the address book. Users can email service@path.com in order to have information deleted from the servers, but since this issue has come up before with no apparent impact, we're not sure how much app-wide change we'll see.

    Read Article >