The recent furore behind the fact that, Path, one of the most beautiful iOS app out there, uploads your entire address book to their servers when you create an account, is probably targeted at the wrong guys. Why do I say this? Read on.

Who else is doing it?

It’s not just Path. Hipster is doing it. Whatsapp is doing it. Foursquare is doing it. Instagram is doing it. Viber is doing it. “Insert your new hot social networking app here” is doing it. This tweet summarizes this.

 

Some companies explicitly ask for users’ permission (Whatsapp and Viber)

Whatsapp asking for user's permission to upload address book

Whatsapp asking for user's permission to upload address book

Viber asking for user's permission to upload address book

Viber asking for user's permission to upload address book

 

Some companies do it when the user explicitly ask them to do. For example, foursquare and Instagram both have an option called “Find friends from Contacts”.

Instagram uploads when you ask it to find your friends from Contacts.

Instagram uploads your contacts when you tap on "From my contact list"

Instagram uploads your contacts when you tap on "From my contact list"

Foursquare uploads “proactively” when you open the “Invite Friends” view. This is again as bad as Path.

Foursquare uploads in the background when you open this view

Foursquare uploads in the background when you open this view

To a techie like you and me, we know that this option would upload the entire address book. To any other iOS user, it’s not really clear. May be they should have added an additional prompt like Whatsapp. But then, that would _alert_ the user and he will probably opt out.

Some companies bury it deep inside their privacy policy (that no one reads). While there are many bad examples, Viber really stands out as a good example. Their privacy policy explicitly states what all they do with the contacts they read from your device.

But most company’s privacy policy is written in legal lingo, mostly incomprehensible to the common man.

I’m not arguing that two wrongs make a right. The point I want to put forth is that, this is not a problem with the third party app maker. It’s a platform issue. When a Android app steals your private information, why do you blame Google instead of the third party app developer? If Google allowed API access to your sensitive information using a opt-in dialog like iOS rather than a manifest file, would there be so many trojans on Android marketplace?

The whole problem in this recent furore roots down to the security layer of iOS. iOS allows any programmer to access all of your address book with just two lines of code.

ABAddressBookRef addressBookRef = ABAddressBookCreate();
CFArrayRef allContacts = ABAddressBookCopyArrayOfAllPeople(addressBookRef);
// upload this to server and do something really nasty
CFRelease(addressBookRef);
CFRelease(allContacts);

There is no prompt whatsoever shown by the system.

What should Apple do?

Show an access control dialog when an application makes a request to access address book. Probably from the version first iteration of iOS, you get a prompt when any app (including Apple’s own apps) requests for your location or for your unique device token for sending you notifications. Apple should extend this feature to programatic access of your contacts and calendar as well (EventKit.framework).

Personally, I’m least bothered about apps stealing my contacts. I’ll be more bothered if an app steals my events. Let me give you an example.

Imagine that I have a meeting with a client ABC from 10 AM to 11 AM on Feb 10th at their office, One Marina Boulevard, Singapore. Just imagine what all can be done when a company knows this information. They can stalk me. They can rob my home when I’m not there. They can sell this information to a “order a pizza” guy who could cold-call me during lunch time to up-sell his pizza. Well, most of these don’t really happen. But they _can_ technically happen.

Reading your calendar to know your upcoming events is also few lines of code

EKEventStore *store = [[EKEventStore alloc] init];
NSPredicate *eventPredicate = [store predicateForEventsWithStartDate:startDate endDate:endDate calendars:nil];
NSArray *matchingEvents = [store eventsMatchingPredicate:eventPredicate];
// upload this to server and do something really nasty

How can you help?

If you are a iOS developer, open bugreport.apple.com and file a bug report like this radar 10824178. Duplicate this. The more a bug gets duplicated, the more faster it reaches Apple.

If you are an iDevice user, remember that there is no free lunch. When a company makes a product free, YOU are their product. Be cautious when a app requests for any additional information like your location or push notifications. There are plenty of apps that I know, that use push notifications purely for marketing. Marketing emails in Web 2.0 era is slowly being transformed to push notifications in this mobile dominated decade. Sad part is that, there is no way to unsubscribe from those annoying push notifications apart from deleting the app.

Let’s all hope that Apple addresses this issue at the earliest before something really _bad_ happens.


Mugunth

Follow me on Twitter

  • Email Gmail

    Agree with you. Only problem is that I cannot upvote that radar!? I can only watch my own originated problems… When I search for that id, I get empty result set :-(

    • Anonymous

      The way to “upvote” a bug report on Apple Radar system is to duplicate it. Apple uses the number of reports to identify the severity.

  • IMHO this is problem with (the lack of ) honesty of some develpers

  • KPM

    “there is no way to unsubscribe from those annoying push notifications apart from deleting the app” 

    Of course there is. Right in the “Notifications” menu in the Settings app. 

  • CJO

    There is a world of difference between “accessing” my contacts and uploading them. If an app running on my phone wants to access my calendar to, say, block insert or delete or find my free times, that’s ok because it’s all happening on my phone.  IMO *none* of the apps you show are properly advising their users of what is going on.

  • I Am Here

    A telemarketer called me, almost immediately, selling some health service after someone send a message via WhatsApp to me and I did not even have WhatsApp installed.