Awareness of the issue began early today when the mclov.in blog disclosed the fact that the Path.com iOS app from the Apple App Store was sending your entire contact list to the company without permission and unencrypted to its servers.
Path is a social media application similar to Instagram that describes itself as "The smart journal that helps you share life with the ones you love."
Arun Thamp, the blogger at mclov.in, documented his exploration into the Path application while studying it to potentially write his own version for OS X.
On account creation the Path application packages up your entire contact list and ships it off to Path over HTTP. If you use your iDevice on unencrypted WiFi, anyone within range of your signal could see all of your private contacts' details.
Dave Morin, CEO of Path, commented on Arun's blog saying:
Arun, thanks for pointing this out. We actually think this is an important conversation and take this very seriously. We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently [sic] as well as to notify them when friends and family join Path. Nothing more.Wow. So we decided it might be handy to have all of your contact info, to, you know, help you connect.
We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.
Co-Founder and CEO of Path
We then realized we might be in a privacy pickle because we never asked for permission, so we modified the app *after the fact* to ask you if it is ok, assuming Apple approves it.
Where was Apple when the original app was released? The lengthy approval process should be looking out for its customers, not just whether it allows you to tether.
Only a few hours after Arun's post, blogger Mark Chang wrote a post showing how Hipster, another app on the Apple App Store, is essentially doing the same thing.
Hipster is another social media application that allows you to "Easily share where you are and what you're doing with postcards of your photos."
The Hipster app does provide you with an option when adding friends to deselect the "Contacts" button, but who would imagine selecting contacts meant sending your contacts to Hipster?
If I saw that button I'd assume it would allow me to pick from my address book locally.
Even worse, Hipster not only sends all of your friends' email addresses to their servers unencrypted, but they even send your password in cleartext.
Of course Facebook's iPhone app has been uploading your contact list for years, albeit with your permission.
So many Naked Security readers click through the Facebook app's prompt, assuming it to be a EULA, that we frequently get emails from people freaking out about how Facebook got their cell phone number, and the emails and numbers of their friends.
We aren't suggesting these companies are going to use this information against your interests, but should they be collecting this information without your knowledge?
Additionally, insecurely transporting personal information from your phone book, permission or not, is an unacceptable practice.
The iOS permission system doesn't provide notification of what information an app may be sending to its keepers, aside from location information.