iOS allows contacts to be uploaded without consent, Apple promises fix

By on February 16, 2012, 3:30 PM

Apple has finally responded to privacy concerns following a recent discovery which shows some iOS apps have been silently uploading contact lists to remote servers. Apple intends to change this behavior though by prohibiting unfettered access to contacts from any app without explicit user permission.

Android, on the other hand, evades the issue entirely. While installing any app that requires access to your address book, Android gives users a warning prompt. However, as PCWorld points out, we can certainly do a better than this.

About two weeks ago, an unsuspecting developer discovered that his entire address book was being uploaded by Path, a seemingly innocuous photo-sharing app. Presumably, the intentions of Path were benevolent as the app uses your contacts to figure out who you'd like to share photos with. However, the app did so without any indication -- no warnings, prompts or agreements.

Path's developers quickly issued an apology, removed the uploaded contact information from their servers and updated the app so that it now requires consent before touching your contact list. While Path's reaction seems responsible and even commendable, less scrupulous developers may not act so honorably.

This incident sparked a new public awareness about the dangers of third-party software on such increasingly personal devices. That spark then ignited into a fire which two members of Congress may be aiming to extinguish. They issued this written inquiry to Apple:

  • Please describe all iOS App Guidelines that concern criteria related to the privacy and security of data that will be accessed or transmitted by an app.
  • Please describe how you determine whether an app meets those criteria.
  • What data do you consider to be “data about a user” that is subject to the requirement that the app obtain the user’s consent before it is transmitted?
  • To the extent not addressed in the response to question 2, please describe how you determine whether an app will transmit “data about a user” and whether the consent requirement has been met.
  • How many iOS apps in the U.S. iTunes Store transmit “data about a user”?
  • Do you consider the contents of the address book to be “data about a user”?
  • Do you consider the contents of the address book to be data of the contact?  If not, please explain why not.  Please explain how you protect the privacy and security interests of that contact in his or her information.
  • How many iOS apps in the U.S. iTunes Store transmit information from the address book?  How many of those ask for the user’s consent before transmitting their contacts’ information?
  • You have built into your devices the ability to turn off in one place the transmission of location information entirely or on an app-by-app basis.  Please explain why you have not done the same for address book information.

            Please provide the information requested no later than February 29, 2012.

Source: butterfield.house.gov

So, exactly how many apps are doing this? No one truly knows, but professional blogger and superhero Dustin Curtis claims that out of 15 popular iOS social media apps he checked, 13 of them admitted to having databases of users' personal contacts.

it's highly unlikely that most developers are doing any sort of work to anonymize your information. The vast majority of apps we tested — whether they upload your address book information or not — can and do upload other identifying information from your iPhone, including the phone's unique UDID identifier and in many cases even the "Name" of the iPhone you enter into iTunes when setting it up.

Source: theverge.com

Interestingly, as a number of journalists and bloggers point out, this type of behavior is prohibited by Apple's own policies. Since rules obviously haven't been working, hopefully Apple's new technical approach will.




User Comments: 1

Got something to say? Post a comment
Guest said:

People are much too cavalier about the security of their personal data on phones.

Personally, I think this should've been addressed from day zero, from both Apple and Android, at an API level. Rather than take-it-or-leave-it permissions, why not just granular control - perhaps at a phone level? (e.g. list and manually select which applications are allowed contact access)

If an app isn't explicitly allowed access to the contacts (or messages/emails), it'd be shown an empty list. If no internet access, it'd 404 etc..

Developers would quickly adapt to the possibility. And any 1 buck games absolutely demanding contacts access to function would be downrated into oblivion.

Seems a no-brainer to me.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.