Facebook is the most forward of the social networks, publicly proclaiming its ideal of “frictionless sharing”. Turns out sharing on your iPhone can be so frictionless you don’t even know it’s happening.
Awareness of the issue began early today when the mclov.in blog disclosed the fact that the Path.com iOS app from the Apple App Store was sending your entire contact list to the company without permission to its servers.
Path is a social media application similar to Instagram that describes itself as “The smart journal that helps you share life with the ones you love.”
Arun Thamp, the blogger at mclov.in, documented his exploration into the Path application while studying it to potentially write his own version for OS X.
Dave Morin, CEO of Path, commented on Arun’s blog saying:
Arun, thanks for pointing this out. We actually think this is an important conversation and take this very seriously. We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently [sic] as well as to notify them when friends and family join Path. Nothing more.
We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.
Co-Founder and CEO of Path
Wow. So we decided it might be handy to have all of your contact info, to, you know, help you connect.
We then realized we might be in a privacy pickle because we never asked for permission, so we modified the app *after the fact* to ask you if it is ok, assuming Apple approves it.
Where was Apple when the original app was released? The lengthy approval process should be looking out for its customers, not just whether it allows you to tether.
Only a few hours after Arun’s post, blogger Mark Chang wrote a post showing how Hipster, another app on the Apple App Store, is essentially doing the same thing.
Hipster is another social media application that allows you to “Easily share where you are and what you’re doing with postcards of your photos.”
The Hipster app does provide you with an option when adding friends to deselect the “Contacts” button, but who would imagine selecting contacts meant sending your contacts to Hipster?
If I saw that button I’d assume it would allow me to pick from my address book locally.
Even worse, Hipster not only sends all of your friends’ email addresses to their servers unencrypted, but they even send your password in cleartext.
Of course Facebook’s iPhone app has been uploading your contact list for years, albeit with your permission.
So many Naked Security readers click through the Facebook app’s prompt, assuming it to be a EULA, that we frequently get emails from people freaking out about how Facebook got their cell phone number, and the emails and numbers of their friends.
We aren’t suggesting these companies are going to use this information against your interests, but should they be collecting this information without your knowledge?
Additionally, insecurely transporting personal information from your phone book, permission or not, is an unacceptable practice.
The iOS permission system doesn’t provide notification of what information an app may be sending to its keepers, aside from location information.
Clearly Apple doesn’t consider this to be an issue, do you?
Phone book image courtesy of Shutterstock.
21 comments on “Path and Hipster iPhone apps leak sensitive data without notification”
Privacy rests with company concerned. Why should Apple babysit a company on privacy matters?
Breaches should earn an investigation by privacy advocacy groups in Government.
Apple maintains a curated app store, and claim it is for their customers' protection. Therefore, they should be protecting their customers.
Your second paragraph answers your question. Why on earth should 200 countries be policing x thousand apps for downright stupidity when Apple are perfectly placed (infrastructure, staff and maybe even app developer Ts&Cs) to do it themselves?
Apple should babysit the app developers because they have made it their policy to do so.
If they where running a free for all app store like google do for Android devices then it would be different. Android developers don’t need to submit their apps for a lenghty approval process and users have little expectation of quality from the apps they download.
On the other hand, Apple have set themselves up as policemen for their app store, and they say in their advertising that users are safer with Apple app store apps than they would be on other platforms because of the checking process.
Apple have taken a policy decision that they are in the busness of checking and aproving apps, and they need to do it properly. Apart from anything else they open themselves up to a risk of litigation because people have an expectation that they are protected when they are not. (Google are not at similar risk, because users have no similar expectation).
I suppose that part of the problem here is that, if an app has permission to read your contacts, and permission to communicate online, then there's no automatic way of stopping it transmitting your contacts online. Apple undertaking to police apps by analysing source code is potentially quite dangerous in terms of liability, whereas anything short of that could be easily guarded by a genuinely malicious app – it creates the illusion of safety, which is potentially more harmful.
Apple should set the privacy standard that app makers must follow, otherwise by the time privacy advocacy groups get to investigate, personal data will have been sprayed all over the web potentially using your details to scam others.
Tom are you advocating a closing the stable door once the horse has bolted policy?
It's funny, but I "trust" Microsoft (hotmail) and Google (gmail) and Yahoo (mail) with my contact details and address books. I "trust" Facebook lots of details and the many apps it uses which, for example, can see my friends birthdays and remind me of same. Many applications support the "single sign on" idea now and that number is expanding, and the advent of "smart" phones only adds to the confusion.
I think it's time for smart phone uses to stop thinking of them as phones and start thinking of them more like computers (which can also dial phone numbers) that need lots of security in place and caution when dealing with apps and communications. After all these devices no longer depend upon a "mobile" telecommunications network to operate and this is really scary stuff but, just like installing software on a computer and clicking the "OK" or "Accept" button or visiting any site while browsing, mobile users will need to be educated on the risks when installing apps or joining social networks.
It would be nice, but nieve, to think that every app will be approved and OK. I think it's like making your browser vendor responsible for the sites you visit. This reminds me a little of the older issue with applications (and viruses and malware) being able to integrate with your e-mail account and address lists – you want integration, you accept the risks, but you must know about them first and that's an education issue not just a privacy one.
One last thought though, we use Messenger and Mail applications and integrated sign on with our computers and the data sharing, many times necessary to obtain the functionality, that goes on behind the scenes is essential. Imagine of your Skype application could not see your Skype contact details. I am not aware that I have ever said that Skype or MSN or any other social networking application (except Facebook) has permission to collect and store my contact or my friends contact details – yet we allow it without thinking about it cause we "trust" them.
The day of the Mobile Phone and Computer are almost dead, we are rapidly approaching the day of the integrated device that does both, which opens up a whole new vista of security issues which boil down to, ultimately, let the user be cautious and beware.
It's unfair to say Apple doesn't care, just because they let a couple privacy issues slip past while attempting to screen the enormous numbers of apps that get submitted each day. They weren't the ones who wrote the code, but somehow they're now responsible for it?
The Hipster app does provide you with an option when adding friends to deselect the "Contacts" button, but who would imagine selecting contacts meant sending your contacts to Hipste?
LinkedIn did the same thing with my contact list, then invited all my contacts to join in my name!
Irrespective of Apple's responsibility, they should delist the (current version of) the app immediately.
Irrespective of Apple’s responsibility, they should delist the (current version of) the app immediately.
I am glad it leaked and has been published. Thanks to Arun and Mark for publishing it.
It sounds as if the iOS libraries are not providing WiFi security? Why
did they run into the same security issues?
Is it encrypted when it uses GSM/GRPRS data network? I don’t think so. Once it leaves the mobile network provider it might well still be unencrypted?
What would be the advice? Remove all social apps from mobile devices?
Thanks for any advice.
Everyone is responsible for their own privacy, we need to raise awareness of this issue so that people are making the right descions. This is one major change occuring with the social media explosion…. These apps are essentialy ‘trading’ on our privacy and the lack of individules understanding of the implications, and the level of incorrect trust they place with the app providers.
We may need interim policing via the likes of Apple, etc…but ultimately you have to be responsible for yourself. If you want to stand on the high street and shout out your private info then its up to you…
These issues arise from the App Store being such an efficient market. If we look back a decade, the barriers to entry (for software producers) were much higher and we (the consumers) were nearly constrained to obtain our applications from a small number of reputable companies. So, it was unlikely we would install anything malicious, and most of the vulnerabilities were fairly esoteric.
I am surprised all phone applications are not made to run in sandboxes (but I realise a sandbox would make no difference to the two application issues that are the subject of the article).
When I’ve installed applications on a Blackberry, I’ve been presented with quite detailed check lists of permissions the applications sought, each individually to be OKed or KOed. I regard that as a very valuable feature, and I would even like the ability to force an application to request temporarily permission when it needs to use a specific resource (such as the data or “voice” network).
In general, I feel more comfortable with open source software, for which I (not being an early adopter) make the assumption that several independent people will have studied the code and would have publicised any major problems. (But, I suppose someone will explain why that is naïve!)
Hang on, check your facts. Path does not send your data over HTTP, it sends it over HTTPS. They are using basic minimal encryption. From Arun’s article “It all seemed harmless enough until I observed a POST request to https://api.path.com/3/contacts/add”
The issue isn’t that they are being careless in transit, the issue is that they are collecting this data without *sanitizing* it (hashing or obscuring the personal details), without being *selective* (you don’t need all the contact details) or even *without informed consent*.
Hipster, on the other hand, is using HTTP. So all your comments about unencrypted traffic sniffinf are correct for them.
You are correct Jim, I missed that. I have corrected the article and you make some very valid points.
However, Path can't be using HTTPS securely, otherwise it wouldn't be possible to to mount a successful MITM attack on the connection, as the developer who discovered this problem apparently did. Presumably the app doesn't bother to verify the server certificate it receives. Thus Path also exposes your personal data to third parties.
They have just released a new version to the app store, so now is the PERFECT time to trash their rating with a one-star review on your way out the door!
As of this writing there are only nine reviews for it, so yours will weigh heavily. And the current-version rating is what the app store displays first, so it will hurt them for a good long while.
"Of course Facebook's iPhone app has been uploading your contact list for years, albeit with your permission.
So many Naked Security readers click through the Facebook app's prompt, assuming it to be a EULA, that we frequently get emails from people freaking out about how Facebook got their cell phone number, and the emails and numbers of their friends."
Note that your contact list contains *other people's* personal information, not you own. So the likelihood is that Facebook got your cellphone number/email address not because *you* unwittingly clicked through a prompt, but because your "friends" uploaded your personal information to Facebook without bothering to ask you whether you minded. It's likely that Facebook obtains/stores/exploits the personal information of many non Facebook users like this as well.
Apple approved malware?