iPhone apps collecting sensitive data without permission


The past couple of days have seen a furor erupt over the shenanigans of two popular apps for iPhone. The ‘Path’ social media application, which is readily available via the Apple App Store and described as “the smart journal that helps you share life with the ones you love“, has apparently been transmitting users entire contact lists to the company’s servers automatically and without asking permission – including full names, email addresses and phone numbers. The discovery was made quite by accident when Arun Thampi, an iOS developer based in Singapore, was researching the Path app with a view to writing his own OS X version. Mr. Thampi then published his findings and that’s when the proverbial hit the fan. You can view Arun Thampi’s related blog posts in full HERE.

I hasten to add that Path’s CEO, Dave Morin, reacted positively and swiftly to the news being made public, an updated version was released almost immediately which now seeks permission before sending your contact list to the Path servers. Here is Mr. Morin’s initial response:

Arun, thanks for pointing this out. We actually think this is an important conversation and take this very seriously. We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and efficiently as well as to notify them when friends and family join Path. Nothing more.

We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.

A few short hours after Arun Thampi’s revelations hit the airwaves, blogger Mark Chang reported that ‘Hipster’, yet another social media app available through the Apple App Store, is pretty much doing the same thing. Here is an excerpt from Mark’s blog article:

The Hipster app allows you to deselect the “Contacts” button when looking for new friends, but it is enabled by default. Therefore, there is no way to avoid sending address book emails to Hipster, as far as I can tell.

But wait – it gets worse. According to Mark, Hipster not only sends your contacts’ email addresses to its servers unencrypted,  it sends your password and iPhone UID in cleartext to boot. View Mark Chang’s blog post in full HERE.

Of course Facebook’s iPhone app has been uploading contact lists for years but at least Facebook does it overtly and only after the user has granted permission. I can’t help wondering how Apple feels about all this and why their ‘extensive’ approval system did not identify these issues – they have been very quiet on the subject. Anyway, sure makes me appreciate that I’m not predisposed to utilizing social media and the sundry applications that go hand in hand with it.

About the Author

Jim Hillier

Jim is the resident freeware aficionado at DCT. A computer veteran with 30+ years experience who first started writing about computers and tech back in the days when freeware was actually free. His first computer was a TRS-80 in the 1980s, he progressed through the Commodore series of computers before moving to PCs in the 1990s. Now retired (aka an old geezer), Jim retains his passion for all things tech and still enjoys building and repairing computers for a select clientele... as well as writing for DCT, of course.