On Tuesday, social networking app Path took a fireball of heat after a developer discovered that the latest version of its app automatically uploads users’ entire address book every time they logged into the network. Path co-founder and CEO Dave Morin quickly swooped in to do damage control, saying an update to the Android version of the app already requires users to opt-in, and the same change is coming soon for the iOS version.
Today, Hipster, a social photo app, got thrown into the grinder, after another developer discover that it, too, uploads portions of users’ address books in order to connect users with their friends. While Hipster doesn’t do this every time a user fires up the app, as Path does, it instead sends this information in a text file in an unsecured HTTP GET request. (Path uses the more secure HTTPS.)
So, why isn’t this post about Hipster also nabbing users’ contact lists without permission? Because it’s Apple — not Path or Hipster — that is allowing this to happen. The question is, was this simply a slip-up, or is the uploading of users’ contacts a practice allowed by Apple?
As any iOS app developer knows, Apple’s API for iOS lets any app access users’ address books and photos. This includes adding addresses to contact lists, and photos to the library, or importing this data into the app.
From the “Data Management” section of Apple’s iOS Technology Overview: “Data and media from iPhone are available to your application via safe, easy-to-use APIs. Your application can create new Address Book contacts and get existing contact info. Similarly, your app can load, display, and edit photos from the Photo Library, as well as use the built-in camera to take new photos.”
In many cases, the photo library portion of this is no big deal. The popular Camera+, for example, accesses the photo library to save new photos, or edit previously-taken ones. As does Instagram, and any other app that lets users take and save photos through the app.
Now, Apple states explicitly in section 17.1 of its iOS app guidelines that, “Apps cannot transmit data about a user without obtaining the user’s prior permission and providing the user with access to information about how and where the data will be used.”
It would appear, at first glance, that Path and Hipster both violated Apple’s guidelines. But a closer look shows that there may be a crack in Apple’s walled garden.
Basically, it all comes down to what Apple considers “data about a user.” Obviously, location data falls firmly into this category. But what about contacts? Do they qualify as “data about a user? We don’t know. But we have contacted Apple to clarify this matter, and will update this piece as soon as they respond.
All that said, blame still sits on the shoulders of the app developers who access users’ information without their consent — they are, after all, the ones who chose to add this feature without explicit user permission. But Apple is still at least partially responsible, either through negligence to properly vet these apps (and possibly many others), or by simply allowing this practice in the first place. Which one it is will determine how much burden Apple carries in this matter.
this seems an extremely biased view and a shoot down Apple exercise. There are many loop holes in every law enforcement agency in all major countries in the world including the US and the UK. When these loopholes are exploited such as the crash of the banking system by investors many years ago the banking sector took responsibility for their actions as they knew they were morally wrong to exploit those loopholes.
It seems when Apple locks down its security and restrict a developer or users actions then everyone says Apple is the devil. Yet when one minor case of an oversight happens allowing developers a little more freedom then Apple is still the devil.
The security of the Android Market is nowhere near comparable to the App Store and if Apple decided to individually check every app submitted, slowing the growth of the App Store and making developers life harder, which there are now over half a million developers in the US alone then it makes Apple a big brother company, stops freedom for developers and guess what … Apple becomes the devil.
Appreciate their products and understand nobody is perfect, because if they were Android and others wouldnt exist today ….