Independent testing finds that Path isn’t the only offending iOS app uploading contact data from mobile devices without user consent. Foursqaure, Twitters and other are also guilty.
Several popular online services, including Foursquare and
Twitter, are guilty of slurping up large amounts of personal data through their
mobile applications without getting explicit permission from users. Now that
they have been caught, these iOS developers, along with Apple, are promising to
start warning users first.
On Feb. 8, Arun
Thampi, a software developer, disclosed reported that the popular
diary app Path was uploading the entire address book from the user's iPhone to
the company's servers without warning users. After a widespread outcry about
violating user privacy, Path CEO Dave Morin apologized later that day and
announced the latest version would explicitly require the user to opt-in to
upload the information. However, more research by Paul Haddad, a developer with
Tapbots, shows that
Path was not alone in this kind of behavior, The Next Web reported.
Foursquare is another offender, as its iOS app uploads all
the email addresses and phone numbers in the address book with no warning or
asking users for consent, Haddad told The Next Web. The latest update, released
Feb. 14, now warns users before doing so. Popular photo app Instagram did the
same thing until Feb. 11, when it quietly updated the app to inform users that
contact data will be uploaded when using the "Find Friends" feature.
Facebook's iOS app appears to send email addresses, phone
numbers and names from the address book but warns users first, according to
However there are a group of apps, such as Yahoo! Messenger,
Google+, and Skype, that hooked into the Address Book framework in iOS but did
not appear to be sending any information, Haddad found. These apps had the
capability to grab the data and use it locally, but have not done so yet.
Twitter is another major company backpedaling after reports found
that its iOS app is grabbing and storing user contacts information without
explicitly warning the user. When a user selects the "Find Friends"
option on the iOS app, the app uploads all the email addresses and phone
numbers stored in contacts on the device's address book and keeps it on its
servers for 18 months.
Twitter has promised to update the app "soon" with
"more explicit" language on what the option does with user data.
Users who don't want Twitter to retain the contacts data can request the
information be removed by clicking on the tiny "remove" link on Twitter's Import page.
"Most of us would like to be explicitly alerted when an
app decides to this," Carole Theriault wrote on the Sophos
Naked Security blog.
Online services are "trying to take advantage of the naivety
of their users, rather than look after them," Theriault wrote. When social
media platforms depend on users to create accounts and use the services to be
successful, then they should make more of an attempt to protect users,
In a recent mobile threats report, Juniper Networks warned
about a growing number of mobile apps that were "suspicious, but not
malicious." These apps are likely to request more device permissions than
they actually need, share excessive amounts of data with third parties, or
access features and data without obtaining explicit consent.
Of the approximately 790,000 apps analyzed by Juniper, 30
percent obtained device location data without explicit consent, according to
the report. A little less than 15 percent of the apps requested permission to
initiate calls without user intervention, and 5 percent asked to be allowed to
send SMS messages without user knowledge. Another 6 percent wanted permission
to view all accounts saved on the device, including email and social networking
Apple has been roundly criticized for not explicitly
building in controls in its iOS framework to make developers ask permission
before grabbing user data. In response to Congressional inquiry, Apple has
promised to update the iOS framework to require permission, Reuters reported.