Login
Feature
Over the course of the past week, a firestorm has erupted in the world of iOS apps, thanks to the discovery that Path was uploading data from your iPhone's address book without asking for explicit permission. Upon opening the app and registering, Path automatically uploaded your contact data in order to "find friends" that you might want to connect to. Path has since apologized and updated its app, but the problem exposed by the episode remains.
Stated simply: any iOS app has complete access to a large amount of data stored on your iPhone, including your address book and calendar. Any iOS app can, without asking for your permission, upload all of the information stored in your address book to its servers. From there, the app developer can either use it to help find your friends, store it in perpetuity, or do any number of other things with it.
Over the course of the past day, we have been using the method explained by Arun Thampi (who discovered Path's privacy violation) to investigate several dozen popular iOS apps. Our findings should bring both comfort and concern to any iPhone user — and to be frank the work of doing a similar investigation on Android and other platforms remains to be done.
Presented below are our findings so far, but we consider this to be an ongoing project. It's nearly impossible to prove a negative, so instead we simply need to test as many apps as possible to determine which apps are uploading your data. Without further ado, here's what we've discovered so far.
Update: Apple has finally made a statement on the matter, promising a future update to iOS that will require explicit user permission to access contact data.
The way to tell if an app is uploading any data to a server is simply to watch all the outgoing data that it is sending. Fortunately, Thampi has laid out a relatively simple way to do this, based on a common methodology called "Man in the middle." You need to set up a program on a computer, in this case mitmproxy, to track all outgoing and incoming data. Having done this, you re-route your iPhone to send all data through your computer via a proxy instead of connecting directly to your Wi-Fi router or your carrier.
In almost all of the cases we tested, that data was fairly-well encrypted as it connected via a secure HTTPS connection instead of an insecure HTTP connection. Also, in most cases, data was submitted via a "post" command, though in some cases data was submitted via a "get" command, which is roughly equivalent to typing a URL into a browser. In at least one case, we have an example of an app sending insecure data via this method, though the app (Hipster) has since been updated. More on it below.
This method is fairly cumbersome, as it requires you to examine each and every outgoing piece of data. It also means that sometimes we can't see everything that's sent and generally introduces some uncertain variables in the tracking process. For example, although Dragon Dictation clearly warns you that it is uploading contact names for better transcription, we didn't see that data pass though the standard port we were tracking. Again, it's hard to prove a negative.
The absolute worst case scenario is an app uploading your address book data without either informing you of its actions or without presenting you with a clear and obvious button that implies what it's about to do.
Until its update, Path definitely fell into this category. Hipster also had this problem, as discovered by Mark Chang. Hipster deserves an extra level of scorn because it sent its information via an insecure HTTP "get" request — essentially putting a large portion of your address book data in a completely insecure URL. Those URLS, as we have learned from the Carrier IQ fiasco, can be visible to your carrier.
So far, we have only seen this auto-uploading behavior from apps that a user might reasonably expect to look for friend information. We have yet to find any apps that simply grab and upload address book information for no discernible reason, but unfortunately that doesn't mean they're not out there.
One app that does it right now is Foursquare, as originally discovered by Tapbot developer Paul Haddad. We've confirmed ourselves that upon creating a new account in Foursquare, the app sends your address book information to its servers. Again, this is surely to assist in finding friends, but absent any explicit choice or warning for the user, it's a serious problem.
Foursquare acknowledged the issue via Twitter and has promised an update very soon — it may be out by the time you read this. Update: in fact, Foursquare has been updated, with a pop-up notification that clearly explains what's happening and that Foursquare does not (nor ever has) store your data.
Luckily, the list seems small and is getting smaller by the day
Angry Birds can get access, but it takes some work on your part
The next set of apps are those that are uploading your address book but do so only when you initiate an action in the app. We are differentiating these apps from the "explicit warner" apps that present a standard iOS pop-up dialog when you are about to upload contact information. Instead, you'll often tap an element that reads something like "Find friends." In all of these cases, the user is specifically requesting that the app locate people — though it's not necessarily always clear that your entire address book is being uploaded.
There are some obvious examples of apps that use this method. Twitter, Facebook, and LinkedIn are all social apps that can and do upload your address book, though in each case you need to tap a button to make it happen.
Gowalla will upload email addresses after tapping through "Find Friends" and "Address Book" without making it entirely clear that you will be uploading that information. Foodspotting is a worse case. Although it does not send any address book information until you tap "Follow People" a few levels deep, it uploads your entire email list in clear text to an insecure HTTP address. The company told Venturebeat it intends to beef up security in the next update.
A set of apps that is less obvious is games. We have found that a specific class of games can upload your contact information after you tap a button that is not entirely clear. The games are those that connect to Chillingo's "Crystal" game service, and they include both Angry Birds and Cut-The-Rope. In these cases, a user needs to go through an admittedly convoluted set of steps in order to connect their game to the Crystal network, but once connected, there is a button labelled "Invite from Contacts" with a further misleading description "Send an invite from your local contacts." Whereas on some apps, this would bring up built-in iOS dialog to select a contact, in the case of Chillingo games your address book is uploaded so that it can give you a list of names that matches the look and feel of the app. Although this method is slightly problematic, it is usually buried deep within an app's settings in a place most users won't bother with because that functionality is already handed by Apple's Game Center (more on that in a bit).
Although these apps do not present an immediate problem, as they require user interaction before uploading data, there is still a pressing question. It is not clear at all exactly what happens to this data once it's uploaded. Most of these apps do not clearly state whether or not they retain your data, offer it to third parties, use it for data mining, or delete it after you've searched for friends. There has been some talk about how common this type of data uploading is — Dustin Curtis suggests that an unnamed 13 of 15 popular social apps import and use this data. We'll also note that it's highly unlikely that most developers are doing any sort of work to anonymize your information. The vast majority of apps we tested — whether they upload your address book information or not — can and do upload other identifying information from your iPhone, including the phone's unique UDID identifier and in many cases even the "Name" of the iPhone you enter into iTunes when setting it up.
In short, these app developers can get a pretty good idea of who you are and who you know, but we don't know what they are doing with that information.
The next group of apps are those that explicitly warn you that you are about to upload your address book information. Many of these, it should be said, have done so only recently as a result of this address book drama, but nevertheless do deserve credit for their (at least current) transparency. Path and Hipster are the two most famous examples (soon to be joined by Foursquare), but Instagram also falls on this list.
Instapaper is another example of an app that tells the user exactly what's going on when you are looking for friends, and developer Marco Arment has further elaborated on his security and data retention policies (they're good). Arment joins many others in calling on Apple to require app developers to be equally explicit.
Although presenting users with multiple permissions pop ups can be an annoying pain (and cause them to be fatigued and just tap "OK" on anything they see), this behavior can and ought to be the norm.
There is one company that has done more to protect users from having their address books uploaded than any other, and its name may surprise you: Facebook. Yes, the company that everybody loves to deride (and in many cases, rightfully so) for playing fast and loose with user privacy is actually the unexpected white knight in this entire data privacy debacle.
The reason is actually quite simple: many, many apps now simply use Facebook to identify and connect users with their friends. Instead of uploading and matching address book information themselves, a large swath of app developers instead choose to plug into the "Open Graph."
One set of games in particular that might surprise you is everything we tested by Zynga, including Words with Friends and Scramble Free. Zynga is inexorably tied to Facebook, and so doesn't appear to be directly uploading your local address book information — even in cases where you register directly instead of registering through Facebook.
Now, in a sense this offloads all of those data privacy issues onto Facebook, but Facebook is subject to quite a lot more daylight than your average independent developer house. What's more, users generally tend to think (or at least should tend to think) of Facebook friends as a more public data set, which theoretically ameliorates some privacy concerns.
Facebook is the unexpected white knight in this entire data privacy debacle
Twitter also gets an honorable mention here with its friend connect feature, as it's often used side-by-side with Facebook both for authentication and friend-finding.
Apple's own Game Center software also plays a major role. Instead of requiring game developers to create their own network, Game Center offloads that work (and its related privacy concerns) onto Apple. We've already pointed out that Chillingo's Crystal network collects address book information, but another common gaming network called Open Feint does not — at least in our testing so far.
There is also a surprisingly large set of apps that do not appear to upload address book information when we expected that they would. Pinterest, Skype, Flipboard, Shazam, Pandora, Rdio, Meebo, Netflix, Google+, Skype, TripIt, and Color are all examples of apps where we were unable to find evidence of address book uploads. Granted, most of these apps work by downloading their own social graphs rather than asking you to upload yours, but nevertheless they don't appear to be uploading that data (again, as we've said multiple times now, it's possible that any and all of the above are uploading via a method we failed to track).
At this point, it's important to point out a few things. First, this issue may not be confined strictly to Apple, but Apple is the company that most obviously attempts to curate its app selection in order to protect users. In fact, Apple's own App Store Guidlines have explicitly forbidden this type of behavior since 2010:
17.1: Apps cannot transmit data about a user without obtaining the user’s prior permission and providing the user with access to information about how and where the data will be used
17.2: Apps that require users to share personal information, such as email address and date of birth, in order to function will be rejected
However, even Apple cannot fully vet every single app for all the information it uploads, as has been demonstrably proven by Path, Hipster, Foursquare, and quite possibly others. The App Store policy is not a scalable solution (though reasonable and intelligent people like David Smith can and do disagree).
There is an interim technical solution that app developers can implement right now, and it involves anonymizing address book information before uploading it. Matt Gemmell goes into great detail on how to use "hashing" to make contact information anonymous yet still viable for social connections. It's a clever and workable solution, but it still requires buy-in from individual app developers.
Another angle is to simply accept Facebook's near-complete monopoly on social connections and trust apps that use it more than apps that collect your contact information directly. While that is a pragmatic solution for now, it would be nice to believe that we can find a way to form online social networks without giving all of our data to Mark Zuckerberg.
The proper technical solution is for iOS to limit access to the contacts database for all apps, so that an app must ask the user for explicit permission to access it. Apple already does this for location information. Yes, this solution is likely to break functionality for a wide swath of apps and it also brings up the earlier-mentioned problem of "alert fatigue," but neither of those issues should be considered deal-breakers when weighed against the potential privacy issues of unfettered access to contact information. As things stand today, any one of the over half a million iOS apps currently in the market can access your address book without your knowledge or permission.
If and until Apple restricts access to private information on iOS, the best technical solution we have is vigilance. Perhaps an enterprising software developer can construct a "Man in the middle" program to automatically scan for address book data to speed up testing. In the meantime, if you have the technical prowess to examine the data sent by an iOS app, please let us know in the comments below and we'll update this article with any new information we can gather.
We've reached out to Apple for comment, and we're still waiting to hear back on specific questions related to the matter. We'll update the post when and if we get word.
Comments
Omg iOS is so insecure!
binglut9 - February 14, 2012
Sarcasm or serious?
Macman156 - February 14, 2012
Sarcasm since if this was android all holy hell would be unleashed…..how android is so insecure blah blah
binglut9 - February 14, 2012
If this was Android, the sh*tstorm would definitely begin…
Plazmic Flame - February 14, 2012
Old news… Not as big a scene as with Apple, perhaps because people understand that Android apps are not inspected by anyone.
Alrescha - February 14, 2012
So wouldn’t this be worse since apple checks every app and seems not to care that iPhone users data are uploaded without people knowing?
binglut9 - February 14, 2012
Isn’t that pretty much what I said?
Alrescha - February 14, 2012
No you said that its not a bigger deal because apple checks it and I said wouldn’t it be bigger because apple ignores the threat
binglut9 - February 14, 2012
“not as big a scene as with Apple”
read again, bro ;)
curtisas - February 14, 2012
No it’s not what you said, and you got pwned.
x-EagleEye-x - February 15, 2012
This isn’t a fight, grow up.
jaggedspike - February 15, 2012
Pot, kettle, black.
Mike10010100 - February 15, 2012
Sure kid. Whatever you say.
x-EagleEye-x - February 15, 2012
I never fully appreciated the illiteracy problem until now. Thank you for bringing it to my attention. I weep for the future.
Alrescha - February 15, 2012
If this was Android….
Oh wait, Android shows you (via permissions) which apps access what type of information when you install them.
At least give credit where credit is due instead of provoking a flame war on a “what if scenario.”
TOMMMMMM - February 14, 2012
If you bother to look. It doesn’t do you a whole lot of good if you treat the list of permissions like a TOS/EULA and don’t read it before installing (which many people do).
archie4oz - February 14, 2012
Oh, you mean this dialog that pops up before you install any app?
Nice try.
TOMMMMMM - February 14, 2012
Yes it is a nice try… Now did you read it all,? Because you still need to scroll down to the bottom to notice that it reads your contact list. Or did you just click Accept and Download. A lot of applications and services will display a TOS or EULA, but do you read all 40+ pages or do you just click OK/Accept?
Having an application display permissions is nice (and I do like it), however my point still stands, if people treat it like they do a EULA/TOS.
Personally I’d prefer some sort of callback method be required so that the permission is ‘tested’ when first invoked by the application and the user is notified of the applications intention. Subsequently the user can chose to dismiss the notification or disable further notifications. That way the app may still be useable, however certain aspects (like providing location or accessing a contact list can be disabled).
archie4oz - February 14, 2012
It’s still ultimately the end users obligation to read those warnings. The messages that pop up before you agree to download are no way as legal and confusing as a EULA. The point remains three fold: warn users they get pissed, Over-warn users, they get pissed, Don’t warn users at all, they get pissed.
JestaMcMerv - February 14, 2012
Permissions are not 40+ pages. Generally they are maybe 1 and a half screen lengths long equating to about 15 lines of text.
Mistercow - February 14, 2012
When I scroll “all the way down,” which is only two more items off screen, I am clearly given all the permissions called for. If I am curious, I can click on one and it gives me more info such as
TOMMMMMM - February 15, 2012
I don’t know what your asking for, it’s not convoluted nor is it 40 pages long.
TOMMMMMM - February 15, 2012
This. Doesn’t. Matter.
The permissions list is a list that the developer has written to warn you, if they wanted your address book details but didn’t want to tell you they wouldn’t have to. It would take investigative journalism to find this behaviour. Just as it took investigative journalism (note: henceforth devs are now journalists) to reveal Path’s (and those mentioned above) naughtiness.
wellplacedcomma - February 15, 2012
That’s not how Android permissions work at all.
For various API’s, Android requires specific permissions be granted to the app. For example, to read your contacts, calendar, or get your location (GPS or network triangulation). A part of each Android app is a “manifest”. It’s an XML file that tells the OS about the app. A part of the manifest is the permissions required by the OS for the app to access the API’s it needs. What the OS is showing you when you install and app is the list of permissions that the app has declared in its manifest.
So what happens if an app tries to access an API that requires permissions it didn’t declare in the manifest? An error that crashes the app if the app doesn’t handle it. The app is not permitted to access the API. If you would like to read more, here’s the official documentation on the subject.
Too long; didn’t read: If the permission exists and isn’t in the list that the Android OS shows you before you install an app, the OS doesn’t let the app access the API’s (and therefore the data) associated with that permission.
dcormier - February 15, 2012
+1, i knew intelligent commenters still exist on the internet.
Prince_Ali - February 15, 2012
I agree. I love how people just assume they know how Android permissions work without any knowledge on the subject. It amazes me how people think devs can just say one permission and have it do anything it wants.
Jeremy J. - February 17, 2012
Seconding what dcormier says. You really don’t know what you’re talking about.
Mike10010100 - February 15, 2012
Another iTard OWNED!
Hugo Pinto - February 15, 2012
Wtf? No!
This is actually one area where android excels in terms of security/clarity. As dcormier explained so clearly, when you’re developing an app you have to explicitly indicate which permissions you’ll use. There’s no way to access any feature/data on a user’s phone without first enabling the permissions.
While it may be a tedious long list for the user to go through, the onus i son them if they are concerned about an app going through their phone.
sag969 - February 15, 2012
Whoooaaaah. Okay. I’m never going to trust the guy that told me that again. Thank’s for clarification. Also, it’s insane how few news sites said that the Rufraud places DID list SMS in the permissions list.
tldr: Sorry, man.
wellplacedcomma - February 15, 2012
It really is mind blowing sometimes what developers will request permission for. And honestly, most users (I’ve done it myself on occasion) will completely ignore all the permission warnings and just install the app.
Still, its currently a better system than apple where there is no transparency at all with what the app is doing.
sag969 - February 15, 2012
It is definitely better. Last I used Android was on my G1 and I think I remember some devs asking for crazy things back then too. Oh well.
wellplacedcomma - February 15, 2012
Thanks for actually replying (even if it wasn’t directly to me). I was curious what your response to that would be, but really didn’t expect you to respond.
dcormier - February 16, 2012
Yeah, I usually lurk so got confused about what level to reply at.
I trusted my friend without doing any research, after yours (and other’s) posts I tried to back up my point to discover I’d been a dumbass :)
wellplacedcomma - February 16, 2012
This is in fact, not how it works on Android.
kaicherry - February 15, 2012
Thats why I like LBE Privacy Protector for Android. The user gets to configure permissions per each application. Once running, the app gives notice when apps are using permssions.
It’s interesting once you deny permissions to certain apps to see how many times they use them. Facebook asks for the contacts at least once an hour, flicker too.
pleasenopuffin - February 15, 2012
A little known Android trick is that you can actually read the contact’s names, starred status and last call time WITHOUT requiring or displaying READ_CONTACTS permission.
Sure, you can’t get the phone numbers without it, but put just this bit of info in the hands of a rogue developer with a good imagination and guess what you get..
Having said that most Android apps request far more permissions than reasonable and If you just show a big list of them like your screenshot Joe User won’t thnk twice before pressing accept. No trick even needed.
ath0 - February 14, 2012
Also, enough of blaming Android.
At a certain point “joe user” is responsible. Let’s stop babying society
tuftslax18 - February 15, 2012
Uhh…what?
I’ve only developed three apps, but I’ve never heard of this before, and can’t even figure out how that’d be accomplished.
Proof please.
sag969 - February 15, 2012
Google gets shit for being transparent in its policies. What does this say about human nature?
okungnyo - February 14, 2012
If this isn’t a shit storm I don’t know what is.
starxd - February 14, 2012
Security and privacy aren’t the same thing. Although the lack of one can lead to the lack of the other.
RobotPi - February 15, 2012
I hate these kind of arguments.
I have seen the Path story and the iOS vulnerability posted everywhere, the press talked about it, podcasts talked about it, online communities talked about it. This is not something that has blown right over.
Why claim that Android is always the victim while iOS get criticized constantly?
Kalahan - February 15, 2012
Walled “garden” with weeds. Needs weeding out. Whose a
fjpoblam - February 15, 2012
[interrupted by kitty] Whose a$$ is grass and who’s the lawnmower?
fjpoblam - February 15, 2012
Wait, I thought iOS had an app-based permission system like Android? Doesn’t it warn you in the app store about the resources an app has access to? I guess so but I’m not sure, I’m not an iPhone user.
If that’s the case (which seems likely AFAIK), why would people need to conduct deep security tests like these?
bilalakhtar - February 14, 2012
No it doesn’t have permissions like android
binglut9 - February 14, 2012
Sounds like something that is a good idea to implement in iOS 6.
CtrlAltDel121 - February 14, 2012
I agree I am very surprise That apple does not implement this but hopefully it will
binglut9 - February 14, 2012
Backwards compatibility. I bet they will just add screening process….
jalexoid - February 15, 2012
I agree. Or, just do what they do with notifications, location, twitter, etc, and other times where it connects to information on your phone.
Have the system throw up a dialogue box as soon as the API is called, unless it is invoked via the official API and have the user agree to it at a system level. If they don’t agree to it, then the system simply will not surrender that data to the application.
I always thought that was a good thing about iOS, especially with things like location.
Qassim - February 14, 2012
Question is what will you think of the user experience when the app crashes due to you saying no to an unreasonable demand? No, not you but an average user….
Problem there is obviously the fact that this will be a horrible UX decision, just like the old notification system….
jalexoid - February 15, 2012
If an app crashes from trying to access something that isn’t there, it is the fault of the developer 100%+. I have seen code where nil checking is not performed vigorously; it pisses me off to no end. There is no such thing as “needless error checking”…Not Crashing is a huge part of the UX :)
kaicherry - February 15, 2012
Why would it crash? If the application has been created properly, it wouldn’t crash at all – just like applications don’t crash when people disagree with providing location to the application.
If the application had to have access to the contacts for it’s functionality, then at most, all it should do is just throw up a screen that says it requires contacts functionality and to use the app, go into settings and give it that access, like is done with notifications.
This is a far better way than just listing the permissions an app requires, that normal people sometimes don’t fully understand nor read. This says “This applications wants to see your contacts, do you agree?”.
Qassim - February 16, 2012
5 bucks say they will and they will tout it as a “magical” and “industry leading” feature.
Either way, I’ll be happy wheny they do because I dont like being abused by app-makers like this.
Bahumbug - February 15, 2012
iOS should ask for permission but people keep forgetting that it wasn’t a problem that Path accessed you contacts. The problem was wath Path did with those after it got accessed.
A permissions dialogue is not going to change that. Path is a social app. It can very much access my contacts.
Kalahan - February 15, 2012
Problem is that you will probably be just giving any app access to your contacts data.
jalexoid - February 15, 2012
Wow. This is awesome reporting. Salute to you Dieter!
Matt Lyons - February 14, 2012
Thanks for this, finally someone puts it all out on the table. I was really annoyed that Path was getting all the flack while quite a few other apps have been doing exactly the same.
Carlos Pacheco - February 14, 2012
Let’s see, Path sent your data, without your permission, over an unencrypted connection, stored that data on their servers, and you’re annoyed that they were getting flack? Really?
Alrescha - February 14, 2012
Pretty sure he was annoyed that only Path was getting flack.
cwchase - February 14, 2012
Where the hell did only Path got flack?
Everywhere I have read about this I saw Apple take the blame more than Path.
Why is everyone claiming that Apple never gets criticized on stuff like this?
Apple should be criticized. iOS should have asked for permissions to access the contacts. Although that wouldn’t have stopped Path, a social app that people gladly give access to their contacts, from uploading your address book to the server.
Kalahan - February 15, 2012
First, was there any reason in particular that you assumed my clarification of Carlos Pacheco’s statement to mean that I also agreed with it?
Second, to further clarify, I believe that he was talking about why, among the set of Apps developers, Path was getting a disproportionate amount of flack.
cwchase - February 15, 2012
Sounds more like he was annoyed that the others weren’t getting the same amount of flack.
Cameronbic - February 14, 2012
Who else, at the time, was known to being doing what Path was doing?
Alrescha - February 14, 2012
Not unencrypted…
archie4oz - February 14, 2012
Apparently I was mis-informed. Thanks.
Alrescha - February 14, 2012
Fantastic piece, thanks Dieter!
the nucular man - February 14, 2012
I always knew Apple was shady and IOS was insecure, this comes as no surprise at all to me. Apple seems to like to feed people a “false sense of security”.
SparklingCyanide - February 14, 2012
Wouldn’t the best solution be to copy Android’s permissioning? Upon installing an app, it needs to declare what permissions it needs, and the user can then decide whether or not to install it?
Of course, the problem there is the user needs to be responsible… maybe a dual approach. Apple has to vet the app, AND the user needs to accept the permissions.
RandomName - February 14, 2012
I mean if you have permissions at least it would covet their ass
binglut9 - February 14, 2012
I’m pretty sure that coveting ass is in the Ten Commandments.
TheStrange - February 14, 2012
Thanks for the awesome joke!
pkson - February 14, 2012
Given the number of Android apps caught stealing information, one might hope that Apple copies something else.
Alrescha - February 14, 2012
Permissions are a good idea, but unfortunately most users are idiots and will click OK for anything (that goes for any platform, not just Android or iOS). It’d be a welcome move to add a permissions system to iOS for the rest of us that think, but this would go against Apple’s philosophy of protecting users from their own brainlessness.
r3loaded - February 14, 2012
“but this would go against Apple’s philosophy of protecting users from their own brainlessness”
But the current system doesn’t succeed on that front either.
Right now Apple is supposed to protect users from their own “brainlessness,” as you said. But there is no contingency to protect users from Apple’s brainlessness. The problem is that some people think Apple is infallible, and can never show any “brainlessness.”
Tikigawd - February 15, 2012
For example?
binglut9 - February 14, 2012
Stealing information?
I prefer to vet the apps I install myself using the permissions system (alongside reviews and developer reputation). If a game required permission to something that I deem it unworthy of (location, full internet access, contacts etc), it isn’t going anywhere near my handset. I’m warned prior to installing the thing!
That to me is one huge advantage over having some unknown (to me) Apple employee vet applications for me leaving me with no knowledge on what an app can access.
Of course, there are those that just gleam over the permissions screen upon installing an app. Those people need educating (which i hope great articles like this one will help educate them).
I’ve noticed even the WP7 apps I install have an overview on permissions on their marketplace page. Not sure if it is concise but it’s there!
Chaz_UK - February 14, 2012 via mobile
You might want to google ‘android apps stealing information’.
Alrescha - February 14, 2012
I did, and the results were all about unpopular apps in sketchy Chinese markets that didn’t display app permissions prior to install.
bilalakhtar - February 14, 2012
Why should he? He clearly has a good understanding of what is going on with his phone by utilizing the information provided by the permissions system.
DEZVOUS - February 14, 2012 via mobile
None of that applies in my situation. Look at the warnings I’m given in the posts prior to installing and application above by TOMMMMMM.
As I said before, even Microsoft lets users know what an app has permissions to prior to installing it:
The above image is for an app called “Contact Sender” on my HTC titan (not installed at this point). It makes total sense to have access to what it does.
If it was a simple flashlight app which needed that level of access I’d not install it.
Currently in iOS land, all I have to rely on is some Apple employee who may or may not have noticed what apps have access to which may lead to them letting things slip through the net.
All of the above is why I prefer Google and Microsoft’s systems when it comes to app permissions.
Chaz_UK - February 15, 2012
Euh… That description is entered by the developer. If the developer doesn’t wants you to know it accesses or uploads your contacts it can still hide it completely.
Kalahan - February 15, 2012
No it isn’t. That information comes from the app’s manifest file.
rikkit - February 15, 2012
And it will crash if it tried, at least on Android. It would have to use a security flaw to overcome the permission system.
But again, iOS also has had some nasty remote security flaws…
jalexoid - February 15, 2012
To follow up on rikkit’s post, from MS:
How can I tell if an application requires a specific phone feature?
Many applications or games you buy from Marketplace are designed to take advantage of specific hardware and software features of your Windows Phone. For example, a photo application might need to use your phone’s camera and a restaurant guide might need to know your location to provide nearby recommendations.
You can see what features an application requires by looking at the application’s details screen in Marketplace. Applications are required to ask you for permission before using certain phone features. Here’s a list of features you’ll see listed:
Source: http://www.microsoft.com/windowsphone/en-gb/howto/wp7/apps/download-apps-and-games-faq.aspx (May need a Windows Live login to view)
Chaz_UK - February 15, 2012
“stealing information?”
EXACTLY. the app TELLS the user what it has access to.
This article shouldnt pretend its breaking news, it should raise awareness that apps needing too many permissions need to be reeled in and re evaluated.
or that there needs to be a much more fine set of permissions that gives an app internet access without allowing it to siphon data.
lots of custom roms on android give you access to permission blocking, so android users dont have too much to worry about
Vellion - February 14, 2012
Instead of this lame method Apple should follow the mechanism they built for to protect access to locations information.
This way the user is not only asked to approve access at the beginning, but also at any time can see which apps have access and disable access to an app from this screen.
In addition, this mechanism should be implemented on address book and calendar access.
joeYYY - February 14, 2012 via mobile
Yes, I’d like this (actually, I’d be fine if no non-Apple apps could get at this data, but I expect I’m in the minority). Unfortunately I fear that many people would find another Location-style interface irritating, causing Apple to compromise.
Alrescha - February 14, 2012
You probably also loved the old notification system…..
jalexoid - February 15, 2012
The amount of apps “stealing” information is an absurdly small number
tuftslax18 - February 15, 2012
That’s more to do with users than with android.
If a chuck norris app requests access to your contacts list and the ability to read and send text messages and you install it…whose fault is that?
sag969 - February 15, 2012
Chuck Norris doesn’t need permissions; he rips the memory chip off the motherboard and reads the zeroes and ones himself.
Dave Ray - February 16, 2012
So I wiped my iPhone and have a mess of stuff set up on this. If anybody has any apps they’d like me to check, fire away and I’ll update.
Dieter Bohn - February 14, 2012
Wunderlist/Wunderkit, Pandora, Rdio, Speed Test.net would be lovely (I’m hoping that out of those none would upload).
MRCUR - February 14, 2012
I think you hit on every app I would have been curious about. fantastic article Dieter!
boetel - February 14, 2012 via mobile
Game Center – Somehow, I’ve added only one friend and it is suggesting people to me (whom I know in real life!) that have no connection to this friend. I have never hit the import from address book button, and most of these people recommended are not in my address book. Might this have to do with Facebook somehow? I don’t have all these people as friends, but a few are mutual and I have clicked on some of their profiles.
Samz2 - February 14, 2012
The VentureBeat investigation included Yelp, but you made no mention of it, so you might want to check it out.
A couple apps that set off warnings with jailbreak tweak ContactPrivacy:
Orchestra (to-do list app) and Flixster. Flixster especially warrants further investigation as it is not an app the user would ever expect to share contact data.
nandreetta - February 14, 2012
Yep, I’m investigating Yelp right now. It has a bunch of options and I want to ensure that I characterize what it’s doing and when correctly.
Dieter Bohn - February 14, 2012
I expected no less from The Verge. Not always the first coverage (often enough though). but usually the best.
nandreetta - February 14, 2012
You left out Instagram as well… Also Instapaper (along with many other apps) recently pushed updates with warning pop ups (so you’re about a week late). Although honestly, one doesn’t need to be a Singaporean hacker, or need a proxy to sniff traffic to logically deduce what’s obviously been going on for quite a LONG time. It really showcases how badly the tech journalism community missed this one for so long…
archie4oz - February 14, 2012
Nevermind, I just reread and noticed Instagram…
archie4oz - February 14, 2012
this seems pretty obvious… uhmmm… Viber? LOL!
converger - February 14, 2012
I could tell from the headline that Dieter wrote this article. Apparently the only things he writes are negatively slanted articles about Apple.
rappr - February 14, 2012 via mobile
Get real buddy, I like all other iOS users deserve to know what’s going on there. He didn’t use ANY loaded or misleading language in the headline or anywhere else in the article.
sausages - February 14, 2012
BOOMchakalaka. sausage has a point.
sdfx - February 14, 2012
I thought sausages were blunt?
TOMMMMMM - February 15, 2012
I agree but I would also very much like to see how this effects Android and Windows Mobile, or even desktop operating systems as well.
This is still very one sided.
Kalahan - February 15, 2012
Did you find any errors in his reporting or you just don’t like the fact that someone is telling the truth about Apple product?
lilo777 - February 15, 2012
No comparison to how other platforms handle this sort of stuff?
BenDTU - February 14, 2012 via mobile
Absolutely, very curious to see this as well.
sausages - February 14, 2012
You know it would turn into a giant flamewar.
jalexoid - February 15, 2012
Yeah, that’s really the only thing missing from this article.
sag969 - February 15, 2012
Why don’t you check out my post and the one about WP7 above. (Hint: see pictures)
TOMMMMMM - February 15, 2012
Still some unsettling questions, so far unanswered.
First, while it sounds good to quibble about sending data in clear text or not, the by far larger danger is in what happens to that data (how it is stored, who has access, how secure are the storage servers, etc) after it is sent. We’ve already had anecdotes (Bill Gates’s cell phone #, etc) that seem to show that what should be unauthorized use of address book data goes on. And if a created-in-a-weekend app stores your data on less than secure servers, gets popular, and becomes a convenient target for attack? That an app uses a secure connection to tranfer your data is far less troublesome than what could potentially be done with it once it’s transferred.
Second, what happens to data after you, say, delete the app? What usage rights do the apps continue to hold (especially if they didn’t ask your permission for use in the first place)? If you delete an app is your data deleted on the service?
Last, what are we opening ourselves up to when our address books are basically now public info? Who’s in your address book unbeknownst to you? A casual acquaintance, or a person you connected with via one of these services, who deals drugs or collects child porn? Are you leaving breadcrumb trails that you don’t know where they lead?
kip.kniskern - February 14, 2012
In the UK we have the Data Protection Act which covers these very topics. If a company stores customer information it must have a data protection officer and follow stringent guidelines on what it collects, how the data is stored, when it is deleted and so on. The Information Commissioner’s Office – http://www.ico.gov.uk/ – handles complaints about companies who don’t follow the rules and can issue fines and so on.
In terms of address books being public info, this is very much not the case. Your relationship with each app developer is a private one – they have no right to sell on the information you give them without explicit permission.
Dave Ray - February 16, 2012
5.0.2 here we come.
Robe1kenobe - February 14, 2012
this is really cool that people are taking the time to do this. it would be nice if this would keep growing and growing. covering ios and android. to tell peeps what apps are trusted and what are not. it is obvious that both sides have some issues.
for instance you go to the market for a flashlight app. the only one i found that did not require full internet access was the droid light by motorola. i was having so many battery issues with my att gs2 that i reset to factory and now i am really really careful as to what i download.
a database for these issues would rock. and yes… resetting my gs2 and being careful has brought me back to 1.5 days with a family gps tracker
needa - February 14, 2012
And that’s the whole point, every system has issues. Every device that connects to the internet is going to have some vulnerabilities, which is why it’s important to have articles like this so app developers know they will be held accountable for not keeping our data secure.
Jeremy J. - February 17, 2012
Am I the only one who just doesn’t care about this? I assumed that any social app I joined was uploading my contacts. How else could they find my friends and notify me when they join? Also, I don’t consider my contacts to be sensitive personal data. It’s my friends’ email addresses and phone numbers, I’m sure my friends have all given this info to at least a hundred different websites in the past year alone. Plus what is the harm? I liked when Path notified me when my friends joined. If the result of this hysteria is that this feature goes away, that will be a shame. Even if the worst happened, and one of these companies sold my contacts, then my friends would get one more piece of spam in their junk mail filters. Its just not in these companies interests to do something evil with your contacts. I’m sorry but this seems really trivial to me and I can’t figure out why people are so worked up about it.
starxd - February 14, 2012
The fact of the matter is that just because YOU don’t care, doesn’t mean that others don’t. I work in a studio with other smaller studios on the same floor. When someone comes looking for a fellow tenant, I don’t give out his phone number.
Ultimately, no single one of us is the arbiter of what is proper or improper usage for other people. At the very least, there are two criteria that should be met when it comes to an app.
1) tell the user what you’ll be doing with their information, be it location, contacts or whatever
2) handle it securely
If the user doesn’t like it, then they don’t need to use the app. The problem is that some of the apps listed fail to meet at least one of those two basic criteria.
TheStrange - February 14, 2012
Um, I never said that other people don’t care. In fact I said quite the opposite… It’s obvious that lots of people care, but I just don’t get why.
starxd - February 14, 2012
Well I wouldn’t want to be your friend then. Just shows how much you care about your friends’ information privacy. You do know that all of the information your friends/contacts provided you is given in confidence, do you?
Or if your friend told you he had HIV, would you just publicly disclose it to everyone you know? Because it’s that level of disclosure.
I would be OK if it was only my personal information, because that information is mine and I have the right to give it away intentionally or not. But my friends’ information is not mine to share. If you actually care about your friends, you will honour their right to privacy.
jalexoid - February 15, 2012
Wow, you think someone’s email address is the “same level of disclosure” as their HIV status???? LOL!
starxd - February 15, 2012
You’re comfortable with your contact information and that of your friends being transmitted:
1) Without your knowledge or consent
2) To an unknown remote location
3) Over a potentially insecure connection which can be easily intercepted?
That’s illegal here in the UK, and for good reason – this information is personal and private and companies need to show why they are collecting that information, what precisely they’re storing, when they delete it and so on. If you’re not bothered, then that’s your problem – most people want to be informed when their information is shared with other companies and want to be reassured that it won’t be sold on without their explicit consent.
Dave Ray - February 16, 2012
In the case of Path I was asked. It asked me if I wanted to search for friends, and then it gave my address book as an option, which I clicked. That’s how it works. If people are too dumb to figure out that the app has to upload your contacts in order to perform the matching, that’s their problem. How do you think it would work? Do they download their entire database of millions of users to your phone and perform the matching there? Of course not! They upload your contacts and send you back matches. I personally don’t need to be warned of the obvious, but apparently some people do.
starxd - February 16, 2012
Please read the original story here:
http://www.theverge.com/2012/2/7/2782947/path-ios-app-user-information-collected-privacy
http://www.theverge.com/2012/2/8/2785217/path-ios-address-book-upload-ceo-apology
The app has been UPDATED to ask permission. Their original privacy policy made no mention that user data was collected, either. That’s what the fuss is about, along with the fact that ANY app can do whatever the hell it likes with that same information without your knowledge. That goes for apps with no social features at all.
In answer to your question, it’s perfectly easy to hash user’s email addresses on the phone before transmitting those values to the company servers, if all they’re doing is matching users.
Dave Ray - February 16, 2012
I’m only talking about Path, the app that started this mass hysteria. I don’t need to read the article again, and I’m not talking about their privacy policy. I have no idea what’s in it because I didn’t read it. However I very distinctly remember the setup process when I joined Path a few weeks ago and, although they didn’t explicitly say it, it was painfully obvious to me that they would be uploading my contacts… And I didn’t care. If you do, that’s awesome, but I don’t.
starxd - February 16, 2012
Apple wouldn’t be changing iOS to support new permissions if this was just hysteria, or if only a single app was at fault.
If you don’t care about what apps do with your private information and those of your contacts, then you are very much in the minority, and I’m glad most people actually read the stories and came to a different conclusion than you.
Dave Ray - February 17, 2012
A lot of things are done in reaction to mass hysteria. That’s pretty much how PR works.
I read the stories, probably a lot more closely than most. I think most people just read the scary headlines and formed opinions without thinking the issues through. Any thinking person who really looks into this situation will see that it’s really not a big deal.
starxd - February 17, 2012
lol wait.
this is news? everyone knows cell phones data mine. It bothers me but I use android so I simply block permissions.
Vellion - February 14, 2012
Honestly this is extremely confusing to me.
what do people THINK it means when the application says its going to have access to all these permissions?
Vellion - February 14, 2012
The thing is, with Android the app tells you what its going to do (It can’t access anything outside the permissions it declares). With iOS, it doesn’t declare what information its going to access, you just need to trust that Apple looked through the code and made sure its not doing anything its not supposed to.
RandomName - February 15, 2012
Yeah but after you gave an app access to the contacts upon installation it can do with it whatever it wants, whenever it wants.
You would give access to your contacts for Path. It’s a social app. It is very reasonable to think you would like to send a post to a friend via email for example.
However, you wouldn’t want them to upload your address book to the server.
Kalahan - February 15, 2012
Please note that on the “surprising data defenders” part, Skype is listed twice.
DivinoAG - February 15, 2012
With out getting into the whole iOS vs the world debate: this was a great piece, and provided great information in a way that was very easy to understand, great job.
Gadginator - February 15, 2012
Just to improve on the way of doing this for anyone who would like to try it themselves, here are brief tips on how I test some iOS client/server applications for security issues:
Install any intercepting web proxy application on your PC. mitmproxy works, but you may prefer something like Burp, Paros, or Zed Attack Proxy. (common apps used by web application pen testers)
Configure whichever to listen on your system’s non-loopback IP. Figure out what that IP is. Join your iDevice to the same network (generally via Wifi). Set the Proxy (Settings → Wifi → Your SSID → HTTP Proxy) to the IP:Port of the proxy sitting on your PC. Now (nearly) all application traffic for your apps route through the proxy application.
The graphical app is a little nicer and easier to use. You can intercept the requests and modify them. (Note: this may allow you to cheat in numerous games and on achievements, as you can now bypass client-side only checks). Some applications will try to make sure the connection is not MITM’d by validating that the SSL connection is trusted. The way to do this is to export the root certificate generated by the proxy app and importing it into the iPhone’s trust store. (Mail it to yourself on your iDevice).
xinmpg - February 15, 2012
This is the problem with Apple deciding what’s best for you.
On the other hand there are plenty people who are too dumb/disinterested to check the permissions in Android.
We need something that combines the two. Perhaps Google can vet the apps that need more intrusive permissions and Apple should report which permissions are used.
Patrickl69 - February 15, 2012 via mobile
My girlfriend bought a Galaxy S Vibrant instead of iPhone 4 due to the cost of the device, she knows nothing about permissions and such, she just wanted a smart phone she could use for Face Book and using Yahoo! Answers… I think their are many users out there like her…
jesseseguin - February 15, 2012
My wife is the same way. She’s not a power use by any means, but she always asks me about an app that seems to be requesting crazy permissions. Users just need to start taking responsibility for checking these things. I’m not saying it’s perfect, but it’s better than blindly installing apps.
Jeremy J. - February 17, 2012
great work dieter!!
rattletop - February 15, 2012
I have simply come to assume that my address book as well as outgoing data is somehow collected or tracked; if not stored… I think for the vast majority of users it shouldn’t really be a problem… most of my friends use their smartphone’s for txt and FaceBook…
jesseseguin - February 15, 2012
I see some parallels with TOU agreements when installing an app or prog. No one reads them, we just agree…
jesseseguin - February 15, 2012
Hipsters deserve all their data stolen anyway, ahahhaha.
AngryRussian - February 15, 2012
LOL it would be funny if iOS had all these warning dialog boxes for security. Especially considering how they trashed Vista for the Allow or Deny warning boxes. #ohirony
jeffburg - February 15, 2012
I think Apple should address (zing!) this and bug me for permission to access such things at the OS level. It should be handled the same way the location service is handled IMO.
Another thing that really bothers me about iOS since the inclusion of in-app purchases is the generic looking Apple ID password prompt for in-app purchases. I think it would be trivial for an app creator to make an iOS dialog box asking for your Apple ID password, and then sends your password somewhere other than Apple. Haven’t we learned anything from phishing websites?
Nickerbocker - February 15, 2012
Path may have fixed it for English users. I use Swedish settings for the phone, the add friends dialog pops a dialog with asian character set instead. It’s not so easy to understand which one means “cancel”.
perzi - February 15, 2012
Don’t worry guys. Apple already announced that they are going to copy Android’s approach as far as access to contacts is concerned (link). The only problem is that instead of copying Android piece by piece after each new scandal they have to admit superiority of Android’s approach and copy it entirely.
lilo777 - February 15, 2012
They announced no such thing. What they ACTUALLY announced was they were going to use their own approach already implemented for location data.
kaicherry - February 15, 2012
Wow I always just assumed Apple had permissions like Android. Well surprised!
thisismynextname - February 15, 2012
Does this mean apps can get access to other data like notes? Does it also mean the entire address book is uploaded when apps check if anyone you know also uses them? Seems quite an oversight to me.
Vergore - February 15, 2012
I do not know how this came out now, this thing has been exciting for many years. Apple iOS and Android do it, both in different ways, but so far every app I have is not taking anything until I tell them too, that how it works,
FrankyApple - February 15, 2012
I see this suggestion all over the web and I have no idea what you or the others are talking about. A solution like this will just serve to annoy the user and the problem will persist.
Why, you might ask. The problem with such a solution is that it, like the one for location, doesn’t tell you explicitly what the app does with the information. Many apps ask about permission to share my location, but they do not state what they’re doing with that information. Had iOS had this pop-up for address book information, this incident with Path would have played out exactly the same way. It’s a matter of ethics on behalf of the developers and I don’t see how Apple could do anything about it.
evilapa - February 16, 2012
I actually wonder why apps aren’t allowed access to files that are created by other apps. An explicit import control would be better than simply giving full access to address book.
JonAtherton - February 20, 2012
The whole address book fiasco is pretty crazy. It’s good that it’ll make changes happen though.
rtezu - February 26, 2012
You must log in with your Verge account to post a comment.
If you do not yet have a Verge account, please sign up for one!