Apple has finally weighed in on the widespread practice of apps uploading all the data from your address book to their servers: Apple doesn’t like it. At least, not without you granting explicit permission to the app first.
Companies such as Facebook, Twitter, Instagram, Foursquare, Foodspotting, Yelp, Path, and Gowalla have been uploading your contact data, often without making it clear that’s what they’re doing. According to Apple, if those apps aren’t explicit about what they’re doing, they’re in violation of Apple’s App Store rules.
“Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines,” Apple said in a statement provided to VentureBeat. “We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release.”
The guidelines do not, however, specify any information about encrypting or hashing the data to secure it during the transfer process. The guidelines also say nothing about whether the company can store the data on its servers after uploading it. As long as an app company provides information about how the information will be used, it’s in the clear.
Apple’s guideline 17.1 states that “Apps cannot transmit data about a user without obtaining the user’s prior permission and providing the user with access to information about how and where the data will be used.”
When asked if Apple planned to increase the security measures to protect users’ data during uploads, Apple had no comment.
The story started when Path, a photo-centric social app, was caught sending users’ address book information to their servers and not offering an opt-in upon starting the app. Path issued an apology after the story became widespread, after explaining that the address book was only used to help people find friends on Path.
Since Apple’s guidelines were already in place, any application uploading data like this would be in violation of Apple’s policies. It seems, however, Apple has not been enforcing the issue during its intensive review process. The unspecified “future software release” will presumably put some bigger stakes into the ground, making its rules harder to bypass.
Some of the apps in question have said that they do not store the actual data, but the transfer process still opens the opportunity for cyber criminals to intercept transmissions. Congress recently got involved and is demanding that Apple answer questions about its guidelines.
“This incident raises questions about whether Apple’s iOS app developer policies and practices may fall short when it comes to protecting the information of iPhone users and their contacts,” congress members G.K. Butterfield and Henry Waxman wrote Wednesday in a letter addressed to Apple CEO Tim Cook.
According to a Congressional spokesperson, Apple has not currently responded to the letter.