A recent flap over a social network's app that surreptitiously siphoned contact information from iPhone users' Address Books has exposed a much deeper, wider flaw in iOS that allows other apps to pilfer that information onto their own servers, without needing any permissions.
While outrage over the social network, Path, remains fresh — even resulting in a letter from congressional representatives to Apple demanding an explanation for how and why it happened — it's the concern for the vulnerability and its potential for more invasions of privacy that has the industry abuzz.
The Address Book seems to be imbued with a flaw that allows apps to be data vampires and suck emails and phone numbers directly from a user's contact information into their corporate servers.
Gizmodo states, "Some app developers — like Path did — are taking advantage of this weakness. The fact is that, at this point, any app can access your address book and steal all your contacts. Just like that. We don't know which apps may be doing this right now. That is a scary thought and Apple should have thought about it."
And over at The Next Web, a very comprehensive report shows the results of tests that reveal the inherent weakness of the Address Book. At least one well-known app, Foursquare, sent personal data without any kind of warning. But now, it joins other apps, such as Instagram, Facebook and Twitter that give warnings before the information fleecing.
While it may be easy to jump to the conclusion that the information gathering is for nefarious means, the Next Web has another, rational perspective:
The important point here is that developers do not have to upload plain text data to their servers in order to offer these convenience features. They can upload hashed, and therefore anonymous, data instead. Then they can use that data to provide the features without ever having seen or stored the plain information.
The answer is likely not that these developers are evil or looking to harvest your data. Instead, it’s likely to be a simple matter of them not understanding that there are better ways to go about it. Developers are only human and many teams have a limited amount of resources.
UPDATE: Apple spokesman Tom Neumayr issued this statement about how apps will need to conform to its permissions guidelines:
“Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines. We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release.”
- Careful: Twitter may be storing your contacts
- Path fumble highlights Internet privacy concerns
- 7 signs we’re living in the post-privacy era