Tech web The Verge has post a exhaustive report yesterday, unveiled a astonishing truth that so many iOS apps are uploading data from your iPhone's address book without any permissions and warnings. The reports had a classification for those apps, and it also given the advice to text it out whether your data was watched.
Over the course of the past week, a firestorm has erupted in the world of iOS apps, thanks to the discovery that Path was uploading data from your iPhone's address book without asking for explicit permission. Upon opening the app and registering, Path automatically uploaded your contact data in order to "find friends" that you might want to connect to. Path has since apologized and updated its app, but the problem exposed by the episode remains.
Stated simply: any iOS app has complete access to a large amount of data stored on your iPhone, including your address book and calendar. Any iOS app can, without asking for your permission, upload all of the information stored in your address book to its servers. From there, the app developer can either use it to help find your friends, store it in perpetuity, or do any number of other things with it.
Over the course of the past day, we have been using the method explained by Arun Thampi (who discovered Path's privacy violation) to investigate several dozen popular iOS apps. Our findings should bring both comfort and concern to any iPhone user — and to be frank the work of doing a similar investigation on Android and other platforms remains to be done.
Presented below are our findings so far, but we consider this to be an ongoing project. It's nearly impossible to prove a negative, so instead we simply need to test as many apps as possible to determine which apps are uploading your data. Without further ado, here's what we've discovered so far.
The way to tell if an app is uploading any data to a server is simply to watch all the outgoing data that it is sending. Fortunately, Thampi has laid out a relatively simple way to do this, based on a common methodology called "Man in the middle." You need to set up a program on a computer, in this case mitmproxy, to track all outgoing and incoming data. Having done this, you re-route your iPhone to send all data through your computer via a proxy instead of connecting directly to your Wi-Fi router or your carrier.
In almost all of the cases we tested, that data was fairly-well encrypted as it connected via a secure HTTPS connection instead of an insecure HTTP connection. Also, in most cases, data was submitted via a "post" command, though in some cases data was submitted via a "get" command, which is roughly equivalent to typing a URL into a browser. In at least one case, we have an example of an app sending insecure data via this method, though the app (Hipster) has since been updated. More on it below.
This method is fairly cumbersome, as it requires you to examine each and every outgoing piece of data. It also means that sometimes we can't see everything that's sent and generally introduces some uncertain variables in the tracking process. For example, although Dragon Dictation clearly warns you that it is uploading contact names for better transcription, we didn't see that data pass though the standard port we were tracking. Again, it's hard to prove a negative.
"The absolute worst case scenario is an app uploading your address book data without either informing you of its actions or without presenting you with a clear and obvious button that implies what it's about to do."
The report points out older versions of Path, Foursquare and Hipster once played as such roles of Egregious offenders.
"The next set of apps are those that are uploading your address book but do so only when you initiate an action in the app. We are differentiating these apps from the "explicit warner" apps that present a standard iOS pop-up dialog when you are about to upload contact information. Instead, you'll often tap an element that reads something like "Find friends." In all of these cases, the user is specifically requesting that the app locate people — though it's not necessarily always clear that your entire address book is being uploaded.
There are some obvious examples of apps that use this method. Twitter, Facebook, and LinkedIn are all social apps that can and do upload your address book, though in each case you need to tap a button to make it happen."
The report also gives positive appraisal for those apps that explicitly warn you when you are about to upload your address book information, and data defenders like Facebook.
"There is also a surprisingly large set of apps that do not appear to upload address book information when we expected that they would. Pinterest, Skype, Flipboard, Shazam, Pandora, Rdio, Meebo, Netflix, Google+, TripIt, and Color are all examples of apps where we were unable to find evidence of address book uploads. "
At Last the reports points out:
"The proper technical solution is for iOS to limit access to the contacts database for all apps, so that an app must ask the user for explicit permission to access it. Apple already does this for location information. Yes, this solution is likely to break functionality for a wide swath of apps and it also brings up the earlier-mentioned problem of "alert fatigue," but neither of those issues should be considered deal-breakers when weighed against the potential privacy issues of unfettered access to contact information. As things stand today, any one of the over half a million iOS apps currently in the market can access your address book without your knowledge or permission.
If and until Apple restricts access to private information on iOS, the best technical solution we have is vigilance. Perhaps an enterprising software developer can construct a "Man in the middle" program to automatically scan for address book data to speed up testing. In the meantime, if you have the technical prowess to examine the data sent by an iOS app, please let us know in the comments below and we'll update this article with any new information we can gather."
After questioned by U.S. Congress, Apple has finally made a statement on the matter, promising a future update to iOS that will require explicit user permission to access contact data. The decision is a fairly obvious one and a good move to protect users private data.
You can read the exhaustive report here.