Login

iOS apps and the address book: who has your data, and how they're getting it

iOS contacts mitm 1024

Over the course of the past week, a firestorm has erupted in the world of iOS apps, thanks to the discovery that Path was uploading data from your iPhone's address book without asking for explicit permission. Upon opening the app and registering, Path automatically uploaded your contact data in order to "find friends" that you might want to connect to. Path has since apologized and updated its app, but the problem exposed by the episode remains.

Stated simply: any iOS app has complete access to a large amount of data stored on your iPhone, including your address book and calendar. Any iOS app can, without asking for your permission, upload all of the information stored in your address book to its servers. From there, the app developer can either use it to help find your friends, store it in perpetuity, or do any number of other things with it.

Over the course of the past day, we have been using the method explained by Arun Thampi (who discovered Path's privacy violation) to investigate several dozen popular iOS apps. Our findings should bring both comfort and concern to any iPhone user — and to be frank the work of doing a similar investigation on Android and other platforms remains to be done.

Presented below are our findings so far, but we consider this to be an ongoing project. It's nearly impossible to prove a negative, so instead we simply need to test as many apps as possible to determine which apps are uploading your data. Without further ado, here's what we've discovered so far.

Update: Apple has finally made a statement on the matter, promising a future update to iOS that will require explicit user permission to access contact data.

Methodology

The way to tell if an app is uploading any data to a server is simply to watch all the outgoing data that it is sending. Fortunately, Thampi has laid out a relatively simple way to do this, based on a common methodology called "Man in the middle." You need to set up a program on a computer, in this case mitmproxy, to track all outgoing and incoming data. Having done this, you re-route your iPhone to send all data through your computer via a proxy instead of connecting directly to your Wi-Fi router or your carrier.

In almost all of the cases we tested, that data was fairly-well encrypted as it connected via a secure HTTPS connection instead of an insecure HTTP connection. Also, in most cases, data was submitted via a "post" command, though in some cases data was submitted via a "get" command, which is roughly equivalent to typing a URL into a browser. In at least one case, we have an example of an app sending insecure data via this method, though the app (Hipster) has since been updated. More on it below.

This method is fairly cumbersome, as it requires you to examine each and every outgoing piece of data. It also means that sometimes we can't see everything that's sent and generally introduces some uncertain variables in the tracking process. For example, although Dragon Dictation clearly warns you that it is uploading contact names for better transcription, we didn't see that data pass though the standard port we were tracking. Again, it's hard to prove a negative.

Mitmproxy

Egregious offenders

The absolute worst case scenario is an app uploading your address book data without either informing you of its actions or without presenting you with a clear and obvious button that implies what it's about to do.

Until its update, Path definitely fell into this category. Hipster also had this problem, as discovered by Mark Chang. Hipster deserves an extra level of scorn because it sent its information via an insecure HTTP "get" request — essentially putting a large portion of your address book data in a completely insecure URL. Those URLS, as we have learned from the Carrier IQ fiasco, can be visible to your carrier.

So far, we have only seen this auto-uploading behavior from apps that a user might reasonably expect to look for friend information. We have yet to find any apps that simply grab and upload address book information for no discernible reason, but unfortunately that doesn't mean they're not out there.

One app that does it right now is Foursquare, as originally discovered by Tapbot developer Paul Haddad. We've confirmed ourselves that upon creating a new account in Foursquare, the app sends your address book information to its servers. Again, this is surely to assist in finding friends, but absent any explicit choice or warning for the user, it's a serious problem.

Foursquare acknowledged the issue via Twitter and has promised an update very soon — it may be out by the time you read this. Update: in fact, Foursquare has been updated, with a pop-up notification that clearly explains what's happening and that Foursquare does not (nor ever has) store your data.

Luckily, the list seems small and is getting smaller by the day
Foursquare
Clear-cases2
Angrybirds
Angry Birds can get access, but it takes some work on your part Angry-birds-mitm

Clear Cases

The next set of apps are those that are uploading your address book but do so only when you initiate an action in the app. We are differentiating these apps from the "explicit warner" apps that present a standard iOS pop-up dialog when you are about to upload contact information. Instead, you'll often tap an element that reads something like "Find friends." In all of these cases, the user is specifically requesting that the app locate people — though it's not necessarily always clear that your entire address book is being uploaded.

There are some obvious examples of apps that use this method. Twitter, Facebook, and LinkedIn are all social apps that can and do upload your address book, though in each case you need to tap a button to make it happen.

Gowalla will upload email addresses after tapping through "Find Friends" and "Address Book" without making it entirely clear that you will be uploading that information. Foodspotting is a worse case. Although it does not send any address book information until you tap "Follow People" a few levels deep, it uploads your entire email list in clear text to an insecure HTTP address. The company told Venturebeat it intends to beef up security in the next update.

A set of apps that is less obvious is games. We have found that a specific class of games can upload your contact information after you tap a button that is not entirely clear. The games are those that connect to Chillingo's "Crystal" game service, and they include both Angry Birds and Cut-The-Rope. In these cases, a user needs to go through an admittedly convoluted set of steps in order to connect their game to the Crystal network, but once connected, there is a button labelled "Invite from Contacts" with a further misleading description "Send an invite from your local contacts." Whereas on some apps, this would bring up built-in iOS dialog to select a contact, in the case of Chillingo games your address book is uploaded so that it can give you a list of names that matches the look and feel of the app. Although this method is slightly problematic, it is usually buried deep within an app's settings in a place most users won't bother with because that functionality is already handed by Apple's Game Center (more on that in a bit).

Although these apps do not present an immediate problem, as they require user interaction before uploading data, there is still a pressing question. It is not clear at all exactly what happens to this data once it's uploaded. Most of these apps do not clearly state whether or not they retain your data, offer it to third parties, use it for data mining, or delete it after you've searched for friends. There has been some talk about how common this type of data uploading is — Dustin Curtis suggests that an unnamed 13 of 15 popular social apps import and use this data. We'll also note that it's highly unlikely that most developers are doing any sort of work to anonymize your information. The vast majority of apps we tested — whether they upload your address book information or not — can and do upload other identifying information from your iPhone, including the phone's unique UDID identifier and in many cases even the "Name" of the iPhone you enter into iTunes when setting it up.

In short, these app developers can get a pretty good idea of who you are and who you know, but we don't know what they are doing with that information.

Explicit Warners

The next group of apps are those that explicitly warn you that you are about to upload your address book information. Many of these, it should be said, have done so only recently as a result of this address book drama, but nevertheless do deserve credit for their (at least current) transparency. Path and Hipster are the two most famous examples (soon to be joined by Foursquare), but Instagram also falls on this list.

Hipster

Instapaper is another example of an app that tells the user exactly what's going on when you are looking for friends, and developer Marco Arment has further elaborated on his security and data retention policies (they're good). Arment joins many others in calling on Apple to require app developers to be equally explicit.

Although presenting users with multiple permissions pop ups can be an annoying pain (and cause them to be fatigued and just tap "OK" on anything they see), this behavior can and ought to be the norm.

The surprising data defenders

There is one company that has done more to protect users from having their address books uploaded than any other, and its name may surprise you: Facebook. Yes, the company that everybody loves to deride (and in many cases, rightfully so) for playing fast and loose with user privacy is actually the unexpected white knight in this entire data privacy debacle.

The reason is actually quite simple: many, many apps now simply use Facebook to identify and connect users with their friends. Instead of uploading and matching address book information themselves, a large swath of app developers instead choose to plug into the "Open Graph."

One set of games in particular that might surprise you is everything we tested by Zynga, including Words with Friends and Scramble Free. Zynga is inexorably tied to Facebook, and so doesn't appear to be directly uploading your local address book information — even in cases where you register directly instead of registering through Facebook.

Now, in a sense this offloads all of those data privacy issues onto Facebook, but Facebook is subject to quite a lot more daylight than your average independent developer house. What's more, users generally tend to think (or at least should tend to think) of Facebook friends as a more public data set, which theoretically ameliorates some privacy concerns.

Facebook is the unexpected white knight in this entire data privacy debacle

Twitter also gets an honorable mention here with its friend connect feature, as it's often used side-by-side with Facebook both for authentication and friend-finding.

Apple's own Game Center software also plays a major role. Instead of requiring game developers to create their own network, Game Center offloads that work (and its related privacy concerns) onto Apple. We've already pointed out that Chillingo's Crystal network collects address book information, but another common gaming network called Open Feint does not — at least in our testing so far.

There is also a surprisingly large set of apps that do not appear to upload address book information when we expected that they would. Pinterest, Skype, Flipboard, Shazam, Pandora, Rdio, Meebo, Netflix, Google+, Skype, TripIt, and Color are all examples of apps where we were unable to find evidence of address book uploads. Granted, most of these apps work by downloading their own social graphs rather than asking you to upload yours, but nevertheless they don't appear to be uploading that data (again, as we've said multiple times now, it's possible that any and all of the above are uploading via a method we failed to track).

The policy fix failed, it's time for a technical one

At this point, it's important to point out a few things. First, this issue may not be confined strictly to Apple, but Apple is the company that most obviously attempts to curate its app selection in order to protect users. In fact, Apple's own App Store Guidlines have explicitly forbidden this type of behavior since 2010:

17.1: Apps cannot transmit data about a user without obtaining the user’s prior permission and providing the user with access to information about how and where the data will be used

17.2: Apps that require users to share personal information, such as email address and date of birth, in order to function will be rejected

However, even Apple cannot fully vet every single app for all the information it uploads, as has been demonstrably proven by Path, Hipster, Foursquare, and quite possibly others. The App Store policy is not a scalable solution (though reasonable and intelligent people like David Smith can and do disagree).

There is an interim technical solution that app developers can implement right now, and it involves anonymizing address book information before uploading it. Matt Gemmell goes into great detail on how to use "hashing" to make contact information anonymous yet still viable for social connections. It's a clever and workable solution, but it still requires buy-in from individual app developers.

Another angle is to simply accept Facebook's near-complete monopoly on social connections and trust apps that use it more than apps that collect your contact information directly. While that is a pragmatic solution for now, it would be nice to believe that we can find a way to form online social networks without giving all of our data to Mark Zuckerberg.

Instagram
Twitter-2

The proper technical solution is for iOS to limit access to the contacts database for all apps, so that an app must ask the user for explicit permission to access it. Apple already does this for location information. Yes, this solution is likely to break functionality for a wide swath of apps and it also brings up the earlier-mentioned problem of "alert fatigue," but neither of those issues should be considered deal-breakers when weighed against the potential privacy issues of unfettered access to contact information. As things stand today, any one of the over half a million iOS apps currently in the market can access your address book without your knowledge or permission.

If and until Apple restricts access to private information on iOS, the best technical solution we have is vigilance. Perhaps an enterprising software developer can construct a "Man in the middle" program to automatically scan for address book data to speed up testing. In the meantime, if you have the technical prowess to examine the data sent by an iOS app, please let us know in the comments below and we'll update this article with any new information we can gather.

We've reached out to Apple for comment, and we're still waiting to hear back on specific questions related to the matter. We'll update the post when and if we get word.

The Verge
X
Log In Sign Up

forgot?
Log In Sign Up

Please choose a new Verge username and password

As part of the new Verge launch, prior users will need to choose a permanent username, along with a new password.

Your username will be used to login to Verge going forward.

I already have a Vox Media account!

Verify Vox Media account

Please login to your Vox Media account. This account will be linked to your previously existing Eater account.

Please choose a new Verge username and password

As part of the new Verge launch, prior MT authors will need to choose a new username and password.

Your username will be used to login to Verge going forward.

Forgot password?

We'll email you a reset link.

If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.

Forgot password?

Try another email?

Almost done,

By becoming a registered user, you are also agreeing to our Terms and confirming that you have read our Privacy Policy.
Spinner.vc97ec6e

Authenticating

Great!

Choose an available username to complete sign up.

In order to provide our users with a better overall experience, we ask for more information from Facebook when using it to login so that we can learn more about our audience and provide you with the best possible experience. We do not store specific user data and the sharing of it is not required to login with Facebook.