Another app, another Address Book uploaded

After Path got caught secretly uploaded the iPhone user’s entire address book without user consent, I’m sure we all began to question if many of the other apps that we use do something similar. Privacy is a huge concern, specifically with something like the users Address Book. I can’t think of any reason why an app should upload specific names, emails, or phone numbers. Matt Gemmel clearly explains a process of hashing these values and then uploading those hashed values (just one type of solution), as there is no need to upload actual email addresses or phone numbers.

So I began to think about what other apps I’ve used that might do something very similar. Meet Voxer, a walkie-talkie app. What I found interesting was how Voxer would mysteriously send me a push notification when someone in my Address Book started using Voxer. It was like it was mysteriously checking my Address Book against their database in the background! We all know now.

When I first downloaded the app and signed up, I vaguely remember what it prompted me to do. It all is much more clear now. It begins by asking the user if you want to find your friends. What isn’t clear is that will actually grab your entire address book, and send that off to their servers.

If you select “No”, it prompts you again to try to upload your entire Address Book. They really want you to hit “OK”.

So, I tapped “OK”, and what I saw is very similar to what happened with Path. Right there, my ENTIRE Address Book, being uploaded in front of my face. Below is an http sniff of the Address Book dictionary being upload over the web.

Another interesting thing, is the “Privacy Mode” button. Funny, I can’t actually find what this does, specifically after you may have uploaded your entire Address Book. There is no traffic whatsoever when that switch is flipped.

Regardless, I think Apple has a huge security hole to fill. Not only should there be a system alert when the Address Book is being accessed, Apple must start policing what apps are sending with regards to any Address Book data. I question why any app needs actual values stored in my Address Book.

But hey, at least Voxer prompts you, not once but twice if you first select “No” to upload your Address Book. But how many people really knew that they were uploading all of their personal data? I suspect not many.

Again, I see no reason to be storing actual email addresses and phone numbers. Implementing an alternative is not that difficult.

1 Notes/ Hide

  1. bryanrahn posted this