Path got caught red-handed uploading users’ address books to its servers and had to apologize. But the relatively obscure journaling app is not alone. In fact, Path was crucified for a practice that has become an unspoken industry standard.
Facebook, Twitter, Instagram, Foursquare, Foodspotting, Yelp, and Gowalla are among a smattering of iOS applications that have been sending the actual names, email addresses and/or phone numbers from your device’s internal address book to their servers, VentureBeat has learned. Several do so without first asking permission, and Instagram and Foursquare only added permissions prompts after the Path flare-up.
Some of these companies deny storing the personal data, as Path was doing, but the transmission alone makes the private data susceptible to would-be intercepters.
Perhaps most concerning, however, is that these app makers could mask the real names, phone numbers, and email addresses during the transmission process, protecting your privacy in the process, but choose not to.
VentureBeat, employing a traffic-monitoring utility called mitmproxy to observe the data flowing between apps and the internet, discovered that many iOS applications upload personally-identifiable information to their servers.
Path steps on a privacy landmine
Last week, Path iPhone app users were surprised (and quite disgruntled) to learn that the innards of their address books — contacts’ email addresses and phone numbers — had been uploaded to and stored on Path’s servers. After a public outcry, Path immediately amended its practice to request user permission, and deleted its records.
But the larger issue of how iOS application makers access, transmit, and store address book data from iOS devices is one that refuses to be swept under the rug. And rightfully so. This is your address book we’re talking about, arguably the most private of all entities. It’s the digital repository of the personal and professional relationships you’ve amassed in your lifetime, and a simple click of a button could expose those relationships to strangers with malicious intents. Also, as many have pointed out, much of the data in your address book belongs to other people (their cell phone numbers, for instance), and has been entrusted to you with the understanding that you will keep it private.
These same relationships are the building blocks for any successful social application. For years, developers have understood that if they give you an easy way to find your friends already using their applications, then you won’t have such a lonely experience and you might continue to use their apps. So, many of the applications you know, love, and use on a daily basis have a “find friends” feature that scans your address book to find your contacts already using their services.
That act in and of itself is a boon to your overall experience, but many developers are employing a shortcut that puts your private contact data at risk.
In order to find connections, app makers are going into your address book, gathering up either phone numbers or email addresses (or both) and uploading that data in its original state. In the best cases, they use an encrypted HTTPS connection to upload the data to their servers, but that’s not a given. Their servers then use the address book data to determine contact matches. In many cases, the data is discarded immediately thereafter.
Facebook, Twitter, Foursquare, Instagram Foodspotting, Yelp, and Gowalla all upload either your contacts’ phone numbers or email addresses to their servers for matching purposes. Some of these applications perform this action without first requesting permission or informing you how they long they plan to store this data. Foodspotting is the worst of the bunch, as it appears to transmit your data over an unencrypted HTTP connection (in plain text), making it even easier for mischievous parties to intercept.
A Foodspotting spokesperson said the company does not store the data it collects. “With the many concerns we’ve read about in recent press blogs, we’ve added additional security measures that will be out with our next update,” the rep said.
Facebook does upload your address book and stores your contacts, but it is also forthcoming about its process. The company has always employed a permissions flow for the “Find Friends” feature that prompts the application user with this message: “Facebook will store imported contacts on your behalf and may use them to generate friend suggestions for you and others.”
Twitter’s position is a bit more ambiguous. “We do not automatically upload contacts,” a Twitter representative explained to VentureBeat. But the “Find Friends” feature, located in the Discover tab of the iOS application, does not require explicit permission for access to the address book, even though it does upload address book data. On the web, Twitter informs its members that it stores contacts for up to 18 months, and may use contact information to make “Who To Follow” suggestions.
Popular photo-sharing app Instagram uploads contact data as well (first names, last names, email addresses, and phone numbers when available, as depicted in the mitmproxy screenshot above), but the app makers recently introduced a permission screen that now reads, “In order to find your friends, we need to send address book information to Instagram’s servers using a secure connection,” and now requires the user to click “allow” to continue.
Foursquare has just followed suit with an update to its iOS app Tuesday (pictured right). Foursquare’s permissions dialog is uniquely up-front about what it’s actually doing.
“We’ve always been doing things the secure way — we only access the user’s address book when the user taps on the ‘Find via address book.’ That is, we only access the address book with an explicit user action,” Instagram co-founder Kevin Systrom said. “The extra dialogue is simply good practice so users are 100 percent sure they understand what’s going on — it’s a step to ensure transparency that we imposed on ourselves.”
Yelp also claims that it does not store the data and requests user permission when accessing the address book. “When a repeat user launches the Yelp application, we provide a prompt for them to give their explicit permission to Find Friends via their Contact list,” a Yelp rep said. However, when VentureBeat tested this feature, we didn’t get a prompt.
When we pointed this out, the Yelp representative said that the prompt only appears the first time you launch the application. They then added, ”To provide redundant disclosure, our latest app update, which is pending approval by Apple, provides a persistent permission request each time you seek to utilize the Find Friends feature beyond just the first time it is introduced.”
The representative also said, “No emails are sent to anyone in their address book without explicit authorization, we don’t expose this data to marketers, and we do not store your contacts. If the user denies permission, the feature is bypassed and their Contacts are not accessed.”
Are app makers taking unnecessary risks?
Without access to their servers, we can’t determine if some of these applications are storing contacts without disclosing the practice, as Path was doing. That would be the most egregious of offenses because it makes your contacts the property of an unapproved third-party. It’s also a security risk: Should the company’s database ever get hacked, that information would become the hackers’ property as well. Most companies claim not to do this.
“We don’t store address book information and never have,” a Foursquare representative told VentureBeat. “When a person searches for friends on Foursquare, we transmit the address book information over a secure connection and do not store it beyond that point.”
All the applications named, however, are choosing to take a shortcut that could put your data at risk. In an interview with VentureBeat, application maker Martin May, co-founder of food-focused startup Forkly and previously with location-based app Brightkite, explained that developers should avoid sending the private data at all costs. Sending encrypted data, he said, only protects the user’s data until it gets to the company’s server, where it is decrypted. At that point, May explained, we have to trust that each company is only using this sensitive data in honorable ways, but they could theoretically do with it as they please.
More than three years ago, May and fellow co-founder Brady Becker faced the “Find Friends” issue but found a better way to make matches without transmitting actual address book data.
“When we were discussing the implementation, the first iteration inevitably lead to the same strategy that Path is using: upload the user’s address book information to our servers so we can do the matching. But it didn’t feel right,” May wrote in a recent blog post. “It didn’t take very long before we realized that we didn’t actually need the actual phone numbers and email addresses of people to match them; we just needed their hashes.”
The hash system, explained in May’s post, allowed the company to compare hashes, rather than the full text of phone numbers and email addresses. That way, it could make matches without needing to “see” the actual names, numbers, or email address of members’ contacts. “This enabled us to implement the same ‘Find Friends’ functionality that so many apps nowadays use without compromising the privacy of the address book,” May wrote.
“It’s pretty easy to replicate,” May told Venturebeat of the system. “It’s not very complicated.”
iOS developer Matt Gemmell sides with May on the topic of hashing. “Why are you uploading the actual address book data, rather than (say) generating hashes of the user’s email addresses locally, then uploading just those hashes?,” Gemmell asked Path founder Dave Morin in a comment posted to the original blog post that exposed the company’s prior bad acts. “You’d be able to do friend-finding that way, and similarly if you uploaded hashes of all email addresses in the user’s address book, you’d be able to do your notifications of when a friend joins. At no point would your servers ever need to see the actual email addresses or phone numbers from our contacts.”
Gemmell followed up a few days later with his own post detailing the hashing method and explained that applications users should not have to sacrifice privacy for cool social features.
Apple provides no protection
Why aren’t more app makers employing the hash-matching approach or similar techniques? The answer, some say, is that Apple allows the practice of uploading full address books to continue. Apple does not require app makers to request permission before accessing a user’s address book, nor does the company regulate contact data transmission and storage.
User interface designer Dustin Curtis puts the blame squarely on Apple’s shoulders. “I fully believe this issue is a failure of Apple and a breach of trust by Apple, not by app developers,” Curtis wrote last week in a widely circulated blog post entitled “Stealing Your Address Book.”
“There is a huge section of the Settings app dedicated to giving people fine control over which apps have access to location information,” Curtis detailed. “That Apple provides no protections on the Address Book is, at best, perplexing.”
Instapaper creator Marco Arment concurs. “I felt like iOS had given me far too much access to Address Book without forcing a user prompt. It felt a bit dirty,” Arment wrote in a post detailing how Instapaper uses address book data. (Instapaper sends encrypted email addresses to its servers, with permission, but does not store them.) “Apple can, and should, assure users that no app can read their contact data without their knowledge and explicit permission.”
Apple, Arment argued, should change its API to require permission. Apple did not respond to a request for a comment.
For now though, the more pressing questions seem to be: How vulnerable is our private data and how concerned should we be?
May believes that most of the applications that access your address book have good intentions. Still, there have been instances of bad egg applications, solely designed to steal your contacts, making it into the App Store, only to be removed after someone cries foul.
Considering that the practice of uploading address book data is so widespread, the answers to those questions are unknown, and the uncertainty is enough to make even the most trusting of people paranoid.
Photo credit: miguel77
VentureBeat is holding its second annual Mobile Summit this April 2-3 in Sausalito, Calif. The invitation-only event will debate the five key business and technology challenges facing the mobile industry today, and participants — 180 mobile executives, investors, and policymakers — will develop concrete, actionable solutions that will shape the future of the mobile industry. You can find out more at our Mobile Summit site.