Are iPhone Apps Stealing Your Address Book Info?
Some iPhone and iPad apps are transmitting your address book information to their servers without your knowledge, according to tests conducted by VentureBeat.
Last week, Path made headlines when it was caught transmitting users’ address book data to its servers. In that controversy’s wake, VentureBeat used a utility, mitmproxy, to monitor data sent by apps over the Internet. In its tests, the blog discovered that “many iOS applications upload personally-identifiable information to their servers.”
Facebook, Twitter, Foursquare, Instagram Foodspotting, Yelp, and Gowalla “all upload either your contacts’ phone numbers or email addresses to their servers for matching purposes,” according to Jennifer Van Grove, writing for VentureBeat. “Some of these applications perform this action without first requesting permission or informing you how they long they plan to store this data.”
Foodspotting is “the worst of the bunch,” Van Grove writes, because the app “appears to transmit your data over an unencrypted HTTP connection (in plain text), making it even easier for mischievous parties to intercept.”
A Foodspotting press rep told VenturBeat that the company doesn’t store the data it collects and has taken “additional security measures that will be out with our next update.”
Several developers and entrepreneurs have pointed out that Apple is responsible for approving all apps in its iTunes store. According to Apple’s App store guidelines, apps that “read or write data outside its designated container area will be rejected,” The New York Times reported. Apple’s guidelines also state: “Apps cannot transmit data about a user without obtaining the user’s prior permission.”
When questioned, an Apple spokesperson told the Times: “Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines. We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release.”