Several popular online services, including Foursquare and Twitter, are guilty of slurping up large amounts of personal data through their mobile applications without getting explicit permission from users. Now that they have been caught, these iOS developers, along with Apple, are promising to start warning users first.
On Feb. 8, Arun Thampi, a software developer, disclosed reported that the popular diary app Path was uploading the entire address book from the user’s iPhone to the company’s servers without warning users. After a widespread outcry about violating user privacy, Path CEO Dave Morin apologized later that day and announced the latest version would explicitly require the user to opt-in to upload the information. However, more research by Paul Haddad, a developer with Tapbots, shows that Path was not alone in this kind of behavior, The Next Web reported.
Foursquare is another offender, as its iOS app uploads all the email addresses and phone numbers in the address book with no warning or asking users for consent, Haddad told The Next Web. The latest update, released Feb. 14, now warns users before doing so. Popular photo app Instagram did the same thing until Feb. 11, when it quietly updated the app to inform users that contact data will be uploaded when using the “Find Friends” feature.
Facebook’s iOS app appears to send email addresses, phone numbers and names from the address book but warns users first, according to Haddad’s analysis.
However there are a group of apps, such as Yahoo! Messenger, Google+, and Skype, that hooked into the Address Book framework in iOS but did not appear to be sending any information, Haddad found. These apps had the capability to grab the data and use it locally, but have not done so yet.
Twitter is another major company backpedaling after reports found that its iOS app is grabbing and storing user contacts information without explicitly warning the user. When a user selects the “Find Friends” option on the iOS app, the app uploads all the email addresses and phone numbers stored in contacts on the device’s address book and keeps it on its servers for 18 months.
Twitter has promised to update the app “soon” with “more explicit” language on what the option does with user data. Users who don’t want Twitter to retain the contacts data can request the information be removed by clicking on the tiny “remove” link on Twitter’s Import page.
“Most of us would like to be explicitly alerted when an app decides to this,” Carole Theriault wrote on the Sophos Naked Security blog.
Online services are “trying to take advantage of the naivety of their users, rather than look after them,” Theriault wrote. When social media platforms depend on users to create accounts and use the services to be successful, then they should make more of an attempt to protect users, Theriault argued.
In a recent mobile threats report, Juniper Networks warned about a growing number of mobile apps that were “suspicious, but not malicious.” These apps are likely to request more device permissions than they actually need, share excessive amounts of data with third parties, or access features and data without obtaining explicit consent.
Of the approximately 790,000 apps analyzed by Juniper, 30 percent obtained device location data without explicit consent, according to the report. A little less than 15 percent of the apps requested permission to initiate calls without user intervention, and 5 percent asked to be allowed to send SMS messages without user knowledge. Another 6 percent wanted permission to view all accounts saved on the device, including email and social networking accounts.
Apple has been roundly criticized for not explicitly building in controls in its iOS framework to make developers ask permission before grabbing user data. In response to Congressional inquiry, Apple has promised to update the iOS framework to require permission, Reuters reported.