Discuss as:

Apple must improve iOS user data protection: developers


iPhone 4S

The dust up over users' contacts ending up on Path servers has spurred congressmen to get up into Apple's grill, and now developers are also holding the company's feet to the fire to be better about protecting such sensitive information.

Apple continues to squirm in the midst of revelations about a flaw in iOS that allows apps to sneak Address Book contacts past permissions and store it in its own servers. Not only did the social network Path take advantage of the weakness, but also much more popular apps such as Facebook, Instagram and Twitter.

Computer engineering professor Mark L. Chang found Hipster to be one of the worst offenders among the apps, which not only secretly uploaded parts of Chang's iPhone Address Book (including a big block of email addresses), but also did so under an unsecured connection.

The company — which issued a statement yesterday saying "any app wishing to access contact data will require explicit user approval in a future software release" — has come under scrutiny from privacy and security advocates, such as congressional representatives Henry A. Waxman and G. K. Butterfield, who drafted a letter on Valentine's Day to Apple demanding answers regarding Apple's app developer guidelines and whether sufficient care has been taken to safeguard iOS users' private information.

Here's an excerpt from it that nails the concern:

Claims have been made that “there’s a quiet understanding among many iOS app developers that it is acceptable to send a user’s entire address book, without their permission, to remote servers and then store it for future reference. It’s common practice, and many companies [are] likely have your address book stored in their database.” One blogger claims to have conducted a survey of developers of popular iOS apps and found that 13 of 15 had a “contacts database with millions of records” — with one claiming to have a database containing “Mark Zuckerberg's cellphone number, Larry Ellison’s home phone number and Bill Gates’ cellphone number.”

Ars Technica quotes developers who are speaking out against Apple, summing up their position as this: "The real fix, developers said, will have to come from Apple; they argue the company should require that certain sensitive data be hashed before transmitting and overhaul iOS's permissions system."

(Hashed data has been converted into an anonymous format that can still convey some information, but protect unique identities.)

The story quotes Stand Alone developer Patrick McCarron, who says, "I bet many users would say that their address book is more sensitive than their location. So I can see wanting to know when an application accesses it. A developer hiding the fact that they transmit your address book data in a privacy policy or EULA is not something I'd call a customer friendly practice."

Another Stand Alone colleague, Chris Cieslak, chimed in too: "At this point, Apple’s going to have to revamp permissions dialogs like they had to for notifications in iOS 5."

Apple has previously come under attack for the location tracking found in iPhones

More stories:

On Twitter, follow Athima Chansanchai, who is also trying to keep her head above water in the Google+ stream.