Arun Thampi recently caused quite a stir when he found out that an iOS application, Path, was uploading his entire Address Book to their servers.
Upon inspecting closer, I noticed that my entire address book (including full names, emails and phone numbers) was being sent as a plist to Path. Now I don’t remember having given permission to Path to access my address book and send its contents to its servers, so I created a completely new “Path” and repeated the experiment and I got the same result – my address book was in Path’s hands.
Disclaimer: I’m not insinuating that Path is doing something nefarious with my address book but I feel quite violated that my address book is being held remotely on a third-party service. I love Path as an iOS app and I think there are some brilliant people working on it, but this seems a little creepy. I wonder how many other iOS apps actually do the same…
Mark Chang has discovered that Path is not the only app to do this.
Hipster starts with a POST to api.hipster.com/v1/people
Worth noting, this is not over HTTPS, and it sends your info, including password and iPhone UID in plaintext. Ugh.
The Hipster app, in an unsecured HTTP GET request, sends a big chunk of your iPhone address book in the form of an email param that includes a comma-separated list of email addresses.
The Hipster app allows you to deselect the “Contacts” button when looking for new friends, but it is enabled by default. Therefore, there is no way to avoid sending address book emails to Hipster, as far as I can tell.
The CEO of Path has recently stated that in the next update of the iOS app, an opt-in option will be available to control whether or not your contacts are sent; however, Hipster app already has the option, but it is opt-out and therefore on by default.
While I think it is good form for app developers to let the user decide whether or not they want a third party app server storing all of their address book contacts or not, I think Kottke hit the nail on the head when he said,
What. The. Hell! Apple?
My guess is that the API is available because Apple leverages it in some manner as well, but if we want apps to stop sending all of our contacts off of our iOS devices, then perhaps Apple needs to remove that capability. I’m not sure of the full privacy implications here since it appears that a lot of data is sent plain-text over HTTP connections, but there are definitely some data control issues with applications transmitting your data off of your device without explicit permission or notification.