The recent furore behind the fact that, Path, one of the most beautiful iOS app out there, uploads your entire address book to their servers when you create an account, is probably targeted at the wrong guys. Why do I say this? Read on.
Who else is doing it?
It’s not just Path. Hipster is doing it. Whatsapp is doing it. Foursquare is doing it. Instagram is doing it. Viber is doing it. “Insert your new hot social networking app here” is doing it. This tweet summarizes this.
for those who just realized that Path uploads your entire address book:you’re such a cute innocent person.Guess what they do with ur fb
— Amudi Sebastian (@amudi) February 8, 2012
Some companies explicitly ask for users’ permission (Whatsapp and Viber)
Some companies do it when the user explicitly ask them to do. For example, foursquare and Instagram both have an option called “Find friends from Contacts”.
Instagram uploads when you ask it to find your friends from Contacts.
Foursquare uploads “proactively” when you open the “Invite Friends” view. This is again as bad as Path.
To a techie like you and me, we know that this option would upload the entire address book. To any other iOS user, it’s not really clear. May be they should have added an additional prompt like Whatsapp. But then, that would _alert_ the user and he will probably opt out.
I’m not arguing that two wrongs make a right. The point I want to put forth is that, this is not a problem with the third party app maker. It’s a platform issue. When a Android app steals your private information, why do you blame Google instead of the third party app developer? If Google allowed API access to your sensitive information using a opt-in dialog like iOS rather than a manifest file, would there be so many trojans on Android marketplace?
The whole problem in this recent furore roots down to the security layer of iOS. iOS allows any programmer to access all of your address book with just two lines of code.
ABAddressBookRef addressBookRef = ABAddressBookCreate(); CFArrayRef allContacts = ABAddressBookCopyArrayOfAllPeople(addressBookRef); // upload this to server and do something really nasty CFRelease(addressBookRef); CFRelease(allContacts);
There is no prompt whatsoever shown by the system.
What should Apple do?
Show an access control dialog when an application makes a request to access address book. Probably from the version first iteration of iOS, you get a prompt when any app (including Apple’s own apps) requests for your location or for your unique device token for sending you notifications. Apple should extend this feature to programatic access of your contacts and calendar as well (EventKit.framework).
Personally, I’m least bothered about apps stealing my contacts. I’ll be more bothered if an app steals my events. Let me give you an example.
Imagine that I have a meeting with a client ABC from 10 AM to 11 AM on Feb 10th at their office, One Marina Boulevard, Singapore. Just imagine what all can be done when a company knows this information. They can stalk me. They can rob my home when I’m not there. They can sell this information to a “order a pizza” guy who could cold-call me during lunch time to up-sell his pizza. Well, most of these don’t really happen. But they _can_ technically happen.
Reading your calendar to know your upcoming events is also few lines of code
EKEventStore *store = [[EKEventStore alloc] init]; NSPredicate *eventPredicate = [store predicateForEventsWithStartDate:startDate endDate:endDate calendars:nil]; NSArray *matchingEvents = [store eventsMatchingPredicate:eventPredicate]; // upload this to server and do something really nasty
How can you help?
If you are a iOS developer, open bugreport.apple.com and file a bug report like this radar 10824178. Duplicate this. The more a bug gets duplicated, the more faster it reaches Apple.
If you are an iDevice user, remember that there is no free lunch. When a company makes a product free, YOU are their product. Be cautious when a app requests for any additional information like your location or push notifications. There are plenty of apps that I know, that use push notifications purely for marketing. Marketing emails in Web 2.0 era is slowly being transformed to push notifications in this mobile dominated decade. Sad part is that, there is no way to unsubscribe from those annoying push notifications apart from deleting the app.
Let’s all hope that Apple addresses this issue at the earliest before something really _bad_ happens.
Follow me on Twitter