Path and Hipster iPhone apps leak sensitive data without notification


Phonebook image courtesy of ShutterstockFacebook is the most forward of the social networks, publicly proclaiming its ideal of “frictionless sharing”. Turns out sharing on your iPhone can be so frictionless you don’t even know it’s happening.

Awareness of the issue began early today when the blog disclosed the fact that the iOS app from the Apple App Store was sending your entire contact list to the company without permission to its servers.

Path is a social media application similar to Instagram that describes itself as “The smart journal that helps you share life with the ones you love.”

Arun Thamp, the blogger at, documented his exploration into the Path application while studying it to potentially write his own version for OS X.

Dave Morin, CEO of Path, commented on Arun’s blog saying:

Arun, thanks for pointing this out. We actually think this is an important conversation and take this very seriously. We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently [sic] as well as to notify them when friends and family join Path. Nothing more.

We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.

Dave Morin

Co-Founder and CEO of Path

Wow. So we decided it might be handy to have all of your contact info, to, you know, help you connect.

We then realized we might be in a privacy pickle because we never asked for permission, so we modified the app *after the fact* to ask you if it is ok, assuming Apple approves it.

Where was Apple when the original app was released? The lengthy approval process should be looking out for its customers, not just whether it allows you to tether. logoOnly a few hours after Arun’s post, blogger Mark Chang wrote a post showing how Hipster, another app on the Apple App Store, is essentially doing the same thing.

Hipster is another social media application that allows you to “Easily share where you are and what you’re doing with postcards of your photos.”

The Hipster app does provide you with an option when adding friends to deselect the “Contacts” button, but who would imagine selecting contacts meant sending your contacts to Hipster?

If I saw that button I’d assume it would allow me to pick from my address book locally.

Even worse, Hipster not only sends all of your friends’ email addresses to their servers unencrypted, but they even send your password in cleartext.

Facebook iPhone appOf course Facebook’s iPhone app has been uploading your contact list for years, albeit with your permission.

So many Naked Security readers click through the Facebook app’s prompt, assuming it to be a EULA, that we frequently get emails from people freaking out about how Facebook got their cell phone number, and the emails and numbers of their friends.

We aren’t suggesting these companies are going to use this information against your interests, but should they be collecting this information without your knowledge?

Additionally, insecurely transporting personal information from your phone book, permission or not, is an unacceptable practice.

The iOS permission system doesn’t provide notification of what information an app may be sending to its keepers, aside from location information.

Clearly Apple doesn’t consider this to be an issue, do you?

Phone book image courtesy of Shutterstock.