Your Address Book Is Mine

Jennifer Van Grove, writing for Venture Beat:

For now though, the more pressing questions seem to be: How vulnerable is our private data and how concerned should we be?

Last week, the Path app was found to transmit and store users’ address book information without asking for permission. Path later relented by removing such data from its servers and updated their app to ask for permission.

As Van Grove discovers, Path isn’t alone. Network-monitoring software discovered that Twitter, Facebook, Instagram, Yelp, Foursquare, Gowalla, Foodpsotting, and other iOS apps were, in some degree, doing the same thing.

Why do these apps use your address book information? Simple. The data is employed to connect users with their contacts and to offer matching suggestions. It is apparent to everyone that these connections aren’t magical and that some form of data is needed. Until recently, though, was hasn’t been apparent is when and how the data is transmitted.

Beyond the basic courtesy of asking a user for permission to access their private data, many apps have been lackadaisical in their transmission and storage procedures. Foodspotting, as an example, sends data as plain text over unencrypted HTTP. For other apps, data is sent over simple HTTPS.

When data is stored, companies are saving contact information as human-readable. That is to say, companies are actually saving “” in their databases. Such practices are perplexing and present unnecessary risks. For instance, if a server gets hacked and data is human-readable, criminals have what they need with zero additional work needed.

A simple fix would be to send and store data as one-way cryptographic hashes. I won’t go into the details of hashing here - I’ll instead refer you to Matt Gemmell. While not completely impervious to attacks, hashing allows companies to anonymize your data while still using it for matching purposes.

Van Grove concludes:

the answers to those questions are unknown, and the uncertainty is enough to make even the most trusting of people paranoid.

This goes to the heart of what I mentioned previously:

A big reason that Apple has been so successful in marketing mobile apps is that people aren’t afraid to use the software.

As I stated then, Apple (and developers) need to address this - and quickly.