Recently, a developer working on a port of the social networking app Path discovered something that troubled him…
Upon inspecting closer, I noticed that my entire address book (including full names, emails and phone numbers) was being sent as a plist to Path.
This set off a miniature Internet firestorm (via Daring Fireball), which resulted in Path wiping their database of address records and updating their app so that it now requests permission to use your address book.
The natural follow-up question is: Why does Apple allow any app to grab this information without your knowledge in the first place?
Usually, when I am curious about something Apple has done, I try to understand the design thinking that went into the decision. In this case, I can’t think of a rational reason for why Apple has not placed any protections on Address Book in iOS. It makes no sense.
I’ve thought about it for a bit, and I think the address book is open because Apple did not see it as a security problem for their users.
Theoretical Apple position: A user’s address book is basically a subset of the phone book. It’s mostly publicly accessible information. The user’s app experience will be better when developers can automatically link them up with other users in their contact list. All apps are vetted through our process, so we can be sure the apps aren’t sending spam out to the user’s contacts.
Now, the main problem here is that the apps were not only allowed to access the address book, but package that information and send it to a server controlled by the app developers, who are under no obligation to protect that data.
But even if Apple were to restrict apps from sending the data, open access to the address book is still problematic. The idea that knowing who your contacts are isn’t dangerous is flawed. Especially with iPhones increasingly being deployed on an enterprise-level. The email addresses of a company tend to match up with the user names used to access systems. It’s easier to set up, and easier for the users to only have one login name across the board. So, if someone wants to gain high-level access to your systems, getting a peek at the contact list of any company-issued iPhone would be a goldmine of information. If the contacts have job titles attached to them as well, an attacker could learn who the system administrators are.
I believe Apple didn’t think about enterprise data, because they designed the iPhone as a consumer product. For most consumers, the contacts data isn’t that important to keep secure and they appreciate the apps that can tell them which of their friends are also using the app. Apple should respond to this issue, and change iOS so that address book access must be explicitly granted by the user, much like location services.
It should also be disallowed for export.
We’ll just have to wait and see what actions (if any) are taken.