Yesterday, developer Arun Thampi noticed that the Path iPhone app uploads a user’s address book to their server without asking the user first. And by address book, I mean all the phone numbers and addresses and email addresses of everyone in your phone’s address book just gets sent off to Path. And not only that, Path stored that information on its server. To their credit, Path apologized and deleted the data from their server.
But this is a larger problem than just Path. In a post from earlier today, Dustin Curtis reveals the dirty little secret of iPhone developers everywhere.
It’s not really a secret, per se, but there’s a quiet understanding among many iOS app developers that it is acceptable to send a user’s entire address book, without their permission, to remote servers and then store it for future reference. It’s common practice, and many companies likely have your address book stored in their database. Obviously, there are lots of awesome things apps can do with this data to vastly improve user experience. But it is also a breach of trust and an invasion of privacy.
I did a quick survey of 15 developers of popular iOS apps, and 13 of them told me they have a contacts database with millons of records. One company’s database has Mark Zuckerberg’s cell phone number, Larry Ellison’s home phone number and Bill Gates’ cell phone number. This data is not meant to be public, and people have an expectation of privacy with respect to their contacts.
Any app, from Angry Birds to Fart App 3000, can just grab the information in your address book without asking? Not okay!
Some popular apps that use this hidden function: Angry Birds, Facebook, and TextPlus 4 all transmit address book data to a server.