Topic: Servers

Path discovered phoning home with your address book

Summary: Upstart social network Path was discovered uploading users' complete address book to its servers. Completely inexcusable in today's privacy-sensitive society.

By Jason D. O'Grady for The Apple Core | February 7, 2012 -- 17:39 GMT (09:39 PST)

Follow @jasonogrady

It's a feature, not a bug!

That's basically the response from Path's management after the popular social networking service was discovered uploading users' complete address book to its servers.

Path, for the unfamiliar, is a relatively new social network, billed as a "smart journal that helps you share life with the ones you love." Think Foursquare meets Instagram meets (insert name here).

Developer Arun Thampi discovered the privacy issue and posted this to his blog:

It all started innocently enough. I was thinking of implementing a Path Mac OS X app as part of our regularly scheduled hackathon. Using the awesome mitmproxy tool which was featured on the front page of Hacker News yesterday, I started to observe the various API calls made to Path’s servers from the iPhone app. It all seemed harmless enough until I observed a POST request to https://api.path.com/3/contacts/add.

Upon inspecting closer, I noticed that my entire address book (including full names, emails and phone numbers) was being sent as a plist to Path. Now I don’t remember having given permission to Path to access my address book and send its contents to its servers, so I created a completely new “Path” and repeated the experiment and I got the same result – my address book was in Path’s hands.

Um, yeah. Your entire address book.

Now I don't know about you, but I'd certainly expect a feature like address book upload to be opt-in (and optional) -- not hidden with no way to opt-out. The other problem is the once Path already has your contact data, there's no way to delete it -- at least that I can find.

Path CEO Dave Morin quickly went into damage control mode and gave the classic It's-a-feature-not-a-bug response, saying that the app uploads your entire address book "in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path." Morin goes on to explain that Path 2.0.6 for iOS makes address book upload opt-in, noting that it's pending App Store approval.

Dan, it might be time to call in a few favors at Apple and get 2.0.6 escalated.

Not clearly disclosing a "feature" like complete address book upload and not giving users a simple way to opt-out is inexcusable. Many thanks to Arun (and the mitmproxy tool) for exposing this privacy breach.

Delete.

Update: It's time for Apple to require that developers to disclose aspects of their apps that will impact user's privacy. This is one key area where the Android Market does things better than the App Store does. Here's a sample of the permission screen that you must acknowledge before installing the app My Tracks.

Update2: Here's how Path can save itself, if it acts fast

Topics: Servers, Apple, Apps

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

19 comments

Log in or register to join the discussion

RE: Path discovered phoning home with your address book

"Update: It???s time for Apple to require that developers to disclose aspects of their apps that will impact user???s privacy. This is one key area where the Android Market does things better than the App Store does. Here???s a sample of the permission screen that you must acknowledge before installing the app My Tracks."

Agreed.

CobraA1
7 February, 2012 22:04

Reply Vote
- RE: Path discovered phoning home with your address book
  
  @CobraA1 [b]my roomate's half-sister makes $78/hr on the laptop. She has been out of a job for 6 months but last month her check was $8255 just working on the laptop for a few hours. Read more on this site ... Lazycash9.com[/b]
  
  leon6600
  8 February, 2012 12:01
  
  Reply Vote
RE: Path discovered phoning home with your address book

"Completely inexcusable in today???s privacy-sensitive society."
This must be a joke. The part about privacy-sensitive society that is.

paul2011
8 February, 2012 00:08

Reply Vote
RE: Path discovered phoning home with your address book

There is a sense of entitlement growing within apps companies, that they are entitled to do whatever they want with your device, including resetting configurations, harvesting all data on the device, and even accessing financial information. One EULA that I read claimed the right to submit additional credit card or bank charges without notice or subsequent permission from the user!

And then there are the ones who don't bother to even mention half the things they do in the EULA at all ...

terry flores
8 February, 2012 00:36

Reply Vote
Audit

Scary world we're living in. Software companies must be accountable for their products. Mark Russinovich already mentioned, in one of his blogs, that any intentional holes and backdoors you create in any of your released software will still be discovered sooner or later, which will only create a black eye and lost of future sales to the software company. There must be some kind of auditing companies to audit softwares (even without the source) before the release of software package to consumers. Similar to signed applications and drivers where certification companies are selling certificates to make softwares and drivers signed. I think, Anti-virus companies can become software auditors as they know the deepest internals of any OS, including their API's and even bios system calls. I heard Sysinternals, before it was bought by MS, knew the internals of windows better than MS. So I think similar companies can easily audit any software package and binaries. So in addition to file product version, company name and file internal name, there will also be "audited by:" column. Though this will just make softwares even more expensive. sorry for the digression

Martmarty
8 February, 2012 04:37

Reply Vote
Sad this isn't enforced in the OS

Nuf said.

happyharry_z
8 February, 2012 07:20

Reply Vote
So why did "app store" approve this version?

Interesting that the version with a feature to (supposedly) protect your private information is waiting for approval, yet the one that violates it is already approved. The Apple dictatorship approved this version, aren't they watching out for their subjects? (Devoted apple fans, choose your rationalization from the list below:
(1) It's just information, I trust them to only use it appropriately, they're on our side!
(2) Probably planted there by a conspiracy from apple's competitors, to discredit them.
(3) On second thought, apple doesn't have any competitiors...you can't compete with God.
(4) No big deal, privacy is overrated and much less important than having the latest useless crap on my igadget.

garyleroy@...
8 February, 2012 08:27

Reply Vote
- RE: Path discovered phoning home with your address book
 
 @garyleroy@... ......and your family uses FACEBOOK and GOOGLE right ? No privacy issues there huh? Personally the anti Apple, anti PC, anti Android, anti iOS, anti Linux, anti Android arguments are very juvenile and for some reason endorsed on ZDnet. If you really value your privacy stay the hell away from the internet. All platforms may eventually require monitoring for just such an invasion of privacy. This is not Apple's problem alone.
 
 partman1969@...
 8 February, 2012 08:46
 
 Reply Vote
 - Look up sarcasm
 
 .....I think you'll better understand his post ;-)
 
 ColdFusion_z
 21 March, 2012 15:00
 
 Reply Vote
RE: Path discovered phoning home with your address book

To prevent future "it's a feature" responses from vendors, nearly EVERY SIGNIFICANT INFORMATION SHARING decision should be OPT-IN and should be required by law ! It is the only way to make these companies responsible for their actions. Knowing violating the law would incur a substantial penalty (substantial enough for them to think 10x about doing it, not just twice)!

jkohut
8 February, 2012 08:32

Reply Vote
RE: Path discovered phoning home with your address book

So much for the myth that the glorious app-store keeps the malware out of iPhones.

MatsSvensson
8 February, 2012 08:54

Reply Vote
- RE: Path discovered phoning home with your address book
  
  @MatsSvensson: It's not malware, "it's a feature"! ;-)
  
  levinson
  8 February, 2012 10:35
  
  Reply Vote
RE: Path discovered phoning home with your address book

"Software companies must be accountable for their products."
Fully agree, but really, with so many apps coming from outside US borders, and mainly Asia, where integrity has totally a different significance, good luck in getting it to happen.
I suppose one solution might be to refrain from using any app which does not origonate in the US - but then one has the challenge of trying to realistically determine that detail. Often a look at user docs can be a big clue (Chinglish, eg.), but not always.

Willnott
8 February, 2012 09:26

Reply Vote
- Enron was totally US-held
  
  Implying that integrity comes with the US flag is an insult not only to non-US entities but to the intelligence of EVERY reader of this blog. And I say this as a US citizen. The ultimate defense from this problem is for every user of social media to assume that every bit of data they share on their social apps will be "shared" across the Internet just as soon as it is uploaded.
  
  loupgarous
  22 March, 2012 16:39
  
  Reply Vote
Yes.. and no...

The Android application installation certainly does give you warnings that certain operation calls will be in use, and by installing the app, you agree to let the operating system grant access to those areas to that app. (The developer needs to declare the use of these operation calls in the install manifest in order to unlock those calls at runtime. Windows Phone 7 works the same way).

However, no context is given as to what those operation calls are actually used for. You typically need to ask the developer directly what they intend to use the calls for, and even that isn't necessarily the truth (though some are pretty good about disclosing usage on their website or product description). This is already a big issue around resources that in-app advertisements need. They often need full access to the internet, and possibly your location to serve up localized ads. However, granting access to that also allows the app itself to piggy-back on those opt-in credentials to send/post your location to a server somewhere.

If I were a malicious app developer, I could say, "today I'm requiring access to your address book to locally show you a list of contacts for some [insert plausible, innocent purpose here]. Not doing anything fishy with them.". Especially for a social network app like "Path", this seems reasonable, so you opt in by installing the application.

Later, I change the app so I'm scraping your contacts and uploading them to my server. You upgrade (or allow Android to auto-upgrade since the declared operations haven't changed).

I issue another upgrade a week later and remove that scraping code.

And suddenly, I've managed to turn a very innocent app into a very evil one and then back to an innocent one. I've gotten your contacts and you probably don't even know it. And unless someone is scrutinizing every release that comes out, nobody will know I was able to at some point.

PolymorphicNinja
8 February, 2012 09:46

Reply Vote
- Bingo....not what....why
  
  You got it...it's nice to know what areas of your data and hardware the app will use....but tell us Android users WHY.
  
  Still better than the Apple approach though
  
  ColdFusion_z
  21 March, 2012 15:02
  
  Reply Vote
Simple solution

All users should immediately, and permanently delete the app and contact their friends to inform them that this plague-like little piece of sh*t app is to be avoided. It's so far from needed. An immediate market smackdown is the only effective way to send a warning out to any other predators in App form.

Blazing Pixels
8 February, 2012 09:54

Reply Vote
A journal is something private

Hi, I???m Rafael, one of the owners of Juicy Cocktail. We make a journaling app for OS X that takes another approach than Path. While we like their user interface and the app at all, you have to be careful what private data you really want to enter and send to companies. Privacy policies can change, companies can run out of money or funds and sell your data as a last resort to stay alive. I dont want to paint a gloomy picture at all, but you can never know, and the safest thing is to be careful. Our app Memories (http://shurl.at/as) has an easy to use interface while it offers more privacy and protection from prying eyes than a web service could ever do. All of your journaling is kept on your Mac and not uploaded to the cloud. Memories also uses AES encryption to keep your entries unreadable from people who dont know your password (some competing products let you set up a password, but you can still see the entries on your hard disk if you know where to look).

Even if we supported e.g. iCloud all data would get uploaded encrypted and nobody could read it. I think that this is essential for a product that keeps a lot of your private data. You can export and import entries in over five formats and choose between exporting a single entry or the whole diary. This is very important, because essentially you would loose all your entries if a company would go out of business and offered no export functionality.

juicycocktail
2 March, 2012 04:17

Reply Vote
The apps requiring all those permissions

When i dowload apps to my HTC Thunderbolt, I don't even understand all of what they're asking permission to access, especially: "Prevent phone from sleeping." I want to know WHY they require these permissions. I have always given permission because I want the app, and it certainly appears that you can't GET the app unless you GIVE the permissions. WHY, WHY, WHY?????

guardian1935
21 March, 2012 20:27

Reply Vote