Last year, Facebook’s mobile apps received flak for uploading numbers of cell phone contacts without intimating the user. Unfortunately, it now appears that this practise is a lot more prevalent than most of us could have anticipated.
Earlier today, Arun Thampi discovered that the new social network Path is also doing pretty much the same thing. He made this startling discovery by snooping on the API requests made by Path’s iOS app with the help of a man-in-the-middle proxy tool. Thampi found that as soon as you create a new account or log into Path’s iOS app, your entire contact list is uploaded to its servers. Everything including your contacts’ name, email address, and phone number is silently uploaded over HTTPS, and there is nothing you can do about it.
Soon after, Mark Chang uncovered that location sharing social network Hipster also grabs your contact list. However, Hipster is even more callous with your personal data. It transmits email addresses from your phone’s address book to its servers without even bothering to encrypt them.
Path uploading user’s address book
After the news broke, Path’s CEO Dave Morin apologized to users and offered the following statement.
We actually think this is an important conversation and take this very seriously. We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and efficiently as well as to notify them when friends and family join Path. Nothing more.
We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.
As Morin explains, social networking apps like Path have a valid reason for requiring access to your address book. However, there is simply no excuse for failing to intimate the user about the same. Heck, Path and Hipster doesn’t even mention this in their FAQ, which most services use for covering their back while performing shady activities. The good thing is that Path has already rectified its mistake. In the latest version of its Android app, contact upload is opt-in, and the iPhone users will also get the same treatment as soon as Apple approves the latest update. Meanwhile, if you don’t want Path to have a copy of your phone book, you can request the deletion of data from its servers by sending a mail to email@example.com.
Update: Path 2.0.6 for iOS is now available in the App Store.
As I mentioned upfront, this practice is way more widespread than any of us could have imagined. Hacker News readers have already identified the same behavior in Beluga and Kik Messenger. Earlier today, Aurora Feint got delisted from the App Store for transmitting address book as plain text. However, with Feint, at least this is strictly opt-in.
Address book is something most users treat as extremely sensitive information, and it’s high time that the industry realizes that. Android does notify the user during installation, if the app accesses the address book. However, most users simply don’t have the habit of paying attention to the “Permissions” screen while installing apps. Moreover, there is no reason to conclude that if an app is reading contact data, it is uploading the same to its servers without permission. On the other hand, Apple, which often positions its App Store as more secure, gives apps full access to the address book without even requiring any additional permission.
One thing that Morin is right about is that this is an extremely important conversation. Hopefully, people will not just move on after expressing their knee-jerk reaction. An iOS app called MobileSubstrate that will alert users every time an app tries to access the phonebook is already under development for jailbroken devices. Ideally though, Apple and Google should take responsibility, and do a better job at protecting the user’s privacy. Perhaps, they should even consider changing their APIs to force apps into explicitly seeking permission before accessing the address book.