Social mobile apps found storing users’ contacts without permission

A week ago, app developer Arun Thampi made public his discovery that Path – a popular iOS app that allows users to keep a journal of their everyday life and share it with others through a number of social networks – copies the entire contents of the users’ address books and sends them to the company servers without asking the users for permission or, indeed, notifying them of it in any way.

The discovery has raised quite a noise since the practice is prohibited by Apple and goes against its app developer guidelines, but the app is still available for sale on its iTunes Store. What’s more, it was further discovered that the Twitter app does the exact same thing, and the information is stored on Twitter’s servers for 18 months before being deleted.

The microblogging service has confirmed the veracity of this claim, saying that the data is collected and stored only if the user takes advantage of the “Find Friends” feature because it scans the address book to search for individuals who also have a Twitter account.

“We want to be clear and transparent in our communications with users,” stated Twitter spokeswoman Carolyn Penner. “Along those lines, in our next app updates, which are coming soon, we are updating the language associated with Find Friends – to be more explicit. In place of ‘Scan your contacts,’ we will use ‘Upload your contacts’ and ‘Import your contacts’ (in Twitter for iPhone and Twitter for Android, respectively).”

The whole issue arose not because the apps had access to the information (which was made clear by the app), but because it exfiltrated it without permission.

Both Path and Twitter have apologized and promised to make it perfectly clear for users what the Find Friends and its equivalent feature entail, and let’s hope other companies will do it as well.

According to VentureBeat, Facebook, Foursquare, Foodspotting, Gowalla, Instagram and Yelp iOS apps are doing the exact same thing. In fact, the practice seems to have become an unspoken industry best practice.

Path has already updated its App to incorporate the promised change, but the larger question here is why Apple hasn’t asked the companies behind the app to make the change, as the feature clearly violates its developer guidelines that say “apps cannot transmit data about a user without obtaining the user’s prior permission.”

The same question was raised by two US Congressmen who asked Apple CEO Tim Cook to answer it by February 29th. In the meantime, Apple has announced that future iOS versions will require user permission for apps to access their contact data.




Share this