Path discovered phoning home with your address book

Summary:Upstart social network Path was discovered uploading users' complete address book to its servers. Completely inexcusable in today's privacy-sensitive society.

Path discovered uploading your address book to its servers - Jason O'Grady
It's a feature, not a bug!

That's basically the response from Path's management after the popular social networking service was discovered uploading users' complete address book to its servers.

Path, for the unfamiliar, is a relatively new social network, billed as a "smart journal that helps you share life with the ones you love." Think Foursquare meets Instagram meets (insert name here).

Developer Arun Thampi discovered the privacy issue and posted this to his blog:

It all started innocently enough. I was thinking of implementing a Path Mac OS X app as part of our regularly scheduled hackathon. Using the awesome mitmproxy tool which was featured on the front page of Hacker News yesterday, I started to observe the various API calls made to Path’s servers from the iPhone app. It all seemed harmless enough until I observed a POST request to https://api.path.com/3/contacts/add.

Upon inspecting closer, I noticed that my entire address book (including full names, emails and phone numbers) was being sent as a plist to Path. Now I don’t remember having given permission to Path to access my address book and send its contents to its servers, so I created a completely new “Path” and repeated the experiment and I got the same result – my address book was in Path’s hands.

mitmproxy - an SSL-capable man-in-the-middle proxy

Um, yeah. Your entire address book.

Now I don't know about you, but I'd certainly expect a feature like address book upload to be opt-in (and optional) -- not hidden with no way to opt-out. The other problem is the once Path already has your contact data, there's no way to delete it -- at least that I can find.

Path CEO Dave Morin quickly went into damage control mode and gave the classic It's-a-feature-not-a-bug response, saying that the app uploads your entire address book "in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path." Morin goes on to explain that Path 2.0.6 for iOS makes address book upload opt-in, noting that it's pending App Store approval.

Dan, it might be time to call in a few favors at Apple and get 2.0.6 escalated.

Not clearly disclosing a "feature" like complete address book upload and not giving users a simple way to opt-out is inexcusable. Many thanks to Arun (and the mitmproxy tool) for exposing this privacy breach.

Delete.

http://www.zdnet.com/blog/apple/path-discovered-phoning-home-with-your-address-book/12182

Update: It's time for Apple to require that developers to disclose aspects of their apps that will impact user's privacy. This is one key area where the Android Market does things better than the App Store does. Here's a sample of the permission screen that you must acknowledge before installing the app My Tracks.

Android Market permission screen - Jason O'Grady

Update2Here's how Path can save itself, if it acts fast

Topics: Servers, Apple, Apps

About

Jason D. O'Grady developed an affinity for Apple computers after using the original Lisa, and this affinity turned into a bona-fide obsession when he got the original 128 KB Macintosh in 1984. He started writing one of the first Web sites about Apple (O'Grady's PowerPage) in 1995 and is considered to be one of the fathers of blogging.... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.