Update – Path apologises for storing address books on its servers
Path apologises for iPhone address book uploading
Dave Morin, co-founder and CEO of Path, has apologised for the company’s uploading of iPhone address book data to its servers saying “We are sorry. We made a mistake”. The uploading of the address book by Path’s iPhone app was discovered by a user who had been examining traffic sent by iPhone applications. Morin also said that the company was deleting all address book data that it had previously received through the application.
Path had been using the data as part of an “Add Friends” feature, but did not tell users of their iPhone application that their entire address book was being uploaded to Path’s servers over an HTTPS connection. Path has now released version 2.0.6 of the iPhone app which allows a user to opt-in or opt-out of sharing address book information. This option has existed for several weeks in the Android version of Path’s application.
But concerns about the security of address book information held on the iPhone are being raised. Already, another application, Hipster, has been found to besending email addresses from the address book, unencrypted and over HTTP, to its servers. The Hipster CEO has also apologised and called for app developers to hold a summit to discuss the issue of address book privacy.
At issue is the lack of protection within iOS of address book data. Although a user’s own contact information is well protected, the rest of the address book is easily accessible and needs no authorisation or permissions. Critics are suggesting that it is Apple’s responsibility to have an appropriate mechanism in place to restrict address book access as it already restricts access to other information on the iPhone. It is reported that one app developer has created an application which can, on jailbroken iPhones, prompt the user when the address book is being accessed. Apple has yet to comment on the matter.
Original Post – Path iOS app Stores address books on its servers
Mobile social networking app Path is under fire for uploading user address books to its servers without explicit consent.
Developer Arun Thampi first discovered the issue while observing various API calls made to Path’s servers from its iPhone app. “Upon inspecting closer, I noticed that my entire address book (including full names, emails and phone numbers) was being sent as a plist to Path,” Thampi writes on his blog. “Now I don’t remember having given permission to Path to access my address book and send its contents to its servers, so I created a completely new ‘Path’ and repeated the experiment and I got the same result–my address book was in Path’s hands… I’m not insinuating that Path is doing something nefarious with my address book but I feel quite violated that my address book is being held remotely on a third-party service.”
Path co-founder and CEO Dave Morin soon responded to Thampi’s blog post, writing “We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and efficiently as well as to notify them when friends and family join Path. Nothing more.” Morin goes on to state that Path rolled out friend finding and matching as an opt-in feature of its new client for Google’s (NASDAQ:GOOG) Android, released a few weeks back, and will also include the opt-in as part of Path for iOS 2.0.6, presently awaiting Apple’s (NASDAQ:AAPL) approval.
Developer Matt Gemmell followed Morin’s post to ask why Path is uploading actual address books instead of generating hashes of user email addresses and uploading the hashed data. Gemmell also asks why Path did not include the opt-in feature from the outset.
Morin responded by saying Path will look into data hashing options. As for why the startup did not include the opt-in feature from the get-go, he writes “This is currently the industry best practice and the App Store guidelines do not specifically discuss contact information.” But iOS developer David Smith suggests Path could be in violation of App Store guideline 17.1, which states “Apps cannot transmit data about a user without obtaining the user’s prior permission and providing the user with access to information about how and where the data will be used,” as well as 17.2, which reads “Apps that require users to share personal information, such as email address and date of birth, in order to function will be rejected.”
Launched as an alternative to Facebook (where Morin helped developed Facebook Platform and Facebook Connect), Path limits social networks to 150 contacts, a move to guarantee users are interacting solely with the people closest to them. “Path should be private by default. Forever,” Path’s website states. “You should always be in control of your information and experience.”
Last month, Rep. Edward Markey (D-Mass.) released a discussion draft of the proposed Mobile Device Privacy Act. The act would require disclosure of mobile phone monitoring software when a consumer buys a new device; if the carrier, manufacturer or operating system later installs monitoring tools; and if a consumer downloads an app containing monitoring software. The act also calls for disclosure on the type of subscriber data that is collected, the identity of the third party to which the information is transmitted and how the info will be used.
- Path Uploads Your iPhone’s Address Book To Their Servers Without A Peep (techcrunch.com)
- Path 2 uploads your address book, but says it’s to ‘match friends’ and will be opt-in soon (thenextweb.com)
- Path Uploads And Stores Your iPhone’s Entire Address Book On Its Servers (cultofmac.com)
- ‘Path Uploads Your Entire iPhone Address Book to Its Servers’ (mclov.in)
This entry was posted on February 9, 2012 by NetSecurityIT. It was filed under 4G, Enterprise, Exploit, General Security, Mobile Device Management, Privacy, Security and was tagged with Address book, apologises, Apple, application path, authorisation, connection path, CrunchBase, dave morin, Google, hipster, IOS, IPhone, Path, Thampi, unencrypted.