PDA

View Full Version : iPhone Developers Accessing Users' Telephone Numbers for Telemarketing?




Buskape
Sep 29, 2009, 08:50 AM
Your number and who knows if other personal data..

This is a major concern, as it is a huge violation in Europe Commision laws, and totally UNACCEPTABLE!

Some users have reported being called by the company developing applications asking them to buy their full version

Source:
http://www.mac4ever.com/news/48159/exclu_iphone_une_vraie_passoire_pour_certaines_donnees_personnelles/

(scroll down for English)

I hope Apple does something about this VERY quickly, like verifying during the app approval process..... :mad:



jav6454
Sep 29, 2009, 08:52 AM
I believe this violates certain ethical and private laws all over the place.

Mystikal
Sep 29, 2009, 09:06 AM
Thats why you jailbreak, and download privacy.

Then they cant do anything :D. Jailbreaking wins again!

ghayenga
Sep 29, 2009, 09:17 AM
Your number and who knows if other personal data..

This is a major concern, as it is a huge violation in Europe Commision laws, and totally UNACCEPTABLE!

Some users have reported being called by the company developing applications asking them to buy their full version

Source:
http://www.mac4ever.com/news/48159/exclu_iphone_une_vraie_passoire_pour_certaines_donnees_personnelles/

(scroll down for English)

I hope Apple does something about this VERY quickly, like verifying during the app approval process..... :mad:

There is a private API that will read the phone number off of the SIM card for those carriers that actually store the phone number there, but many don't. It *is* unauthorized and Apple will not approve it if they are aware of it.

SpaceKitty
Sep 29, 2009, 09:43 AM
Thats why you jailbreak, and download privacy.

Then they cant do anything :D. Jailbreaking wins again!

That's true. Privacy was developed after it was discovered that allot of apps phone home informing them about many things including if you are Jailbroken or not and your IP and phone model.

I'm betting each one of us has a few apps at least that do something like this.

EatMyApple
Sep 29, 2009, 09:52 AM
Thats why you jailbreak, and download privacy.

Then they cant do anything :D. Jailbreaking wins again!

In Privacy settings, do you want the toggles ON or OFF to prevent information being shared. They came set to OFF but I changed them to ON. Not sure which one I need. Thanks!

MacRumors
Sep 29, 2009, 10:05 AM
http://www.macrumors.com/images/macrumorsthreadlogo.gif (http://www.macrumors.com/iphone/2009/09/29/iphone-developers-accessing-users-telephone-numbers-for-telemarketing/)


http://images.macrumors.com/article/2009/09/29/110236-iphone_mobile_number_collection.jpg

French site Mac4Ever reports (http://www.mac4ever.com/news/48159/exclu_iphone_une_vraie_passoire_pour_certaines_donnees_personnelles/) that a number of users of a free Swiss traffic application for the iPhone have received telemarketing calls from callers who claim that they received the users' telephone numbers from Apple after making the application purchase.

Since Apple's privacy policy would preclude Apple from providing such information, Mac4Ever dug into the issue and discovered that an iPhone application is capable of accessing a device's mobile telephone number with just a single line of code and can then send that information back to the developer without notifying the user that their personal information has been obtained. Mac4Ever confirmed this ability by creating its own proof-of-concept iPhone application and obtaining the phone number of one of its editors' iPhones.From a client's side, Apple is the unique entiy you can deal with (except for the support). For a developer, it's quite the same : you can only deal with Apple, who never give you an access to the client's information. But it appears that this behaviour is available since firmware 2.1! So, how can't Cupertino be aware of such a thing? And how many apps are involved?

We contacted Apple about this issue and we will keep you posted as soon as we'll receive a complete answer.It remains unclear whether other iPhone developers beyond those behind the application cited in the report have resorted to such tactics.

Article Link: iPhone Developers Accessing Users' Telephone Numbers for Telemarketing? (http://www.macrumors.com/iphone/2009/09/29/iphone-developers-accessing-users-telephone-numbers-for-telemarketing/)

guzhogi
Sep 29, 2009, 10:19 AM
Let the class action suits beginů

willwc
Sep 29, 2009, 10:21 AM
Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_1 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7C144 Safari/528.16)

I wonder if other developers were even aware of this before. Well they are now.

randallking
Sep 29, 2009, 10:26 AM
I've had the same cell phone number for nine years, and that number is on the national Do Not Call registry. I never received one telemarketing call until just recently. In the past few months I've received two. This article makes me suspect that my phone number was obtained through one of the many apps I've used. Heavy iPhone and app usage is the only thing that's changed in my phone usage or who I give my number to.

dejo
Sep 29, 2009, 10:33 AM
I wonder if other developers were even aware of this before.
I was. But it was my understanding that the App Review team was supposed to be looking out for abuses like this. It does violate the iPhone SDK Agreement. But I guess, just like in the case of Aurora Feint, another app that violates the agreement has still managed to slip through the cracks.

JollyRogers
Sep 29, 2009, 10:38 AM
Wow. I would expect Apple to screen for this. If not shame on them. Also, it would be really nice to know what apps do this and have them listed in case we are running something we wouldn't otherwise.

thejadedmonkey
Sep 29, 2009, 10:43 AM
And that's the problem with a close-walled approach to the app store. It implies (although I'm pretty sure legally Apple denies any wrongdoing, anywhere, by way of their developer and EULA contracts) that Apple is at fault for letting a malicious app though.

personally I'm so fed up with having an "app store" for every device. I really hope that there's a class action lawsuit to dissuade software vendors from making even more app stores.

P.S. Thought: If apple's EULA denies any responsibility, and there's a class action which finds Apple accountable for letting malware through into their app store garden, wouldn't that set precedence for EULA's not being valid (e.g.: the Pystar case)?

DavidLeblond
Sep 29, 2009, 10:50 AM
Uh the SDK has, and always has, had complete access to your entire address book. This is pretty obvious if you use any contact sharing apps like Bump.

Yvan256
Sep 29, 2009, 10:54 AM
Uh the SDK has, and always has, had complete access to your entire address book. This is pretty obvious if you use any contact sharing apps like Bump.

Indeed, doesn't that mean that they probably took ALL the phone numbers? Those affected should ask people in their address book if they received similar calls recently.

samcraig
Sep 29, 2009, 10:55 AM
It would be interesting to see if this has occurred in the US.

I just looked for the app and it's not available on itunes - so either Apple killed it or you can't get it here in the US.

jav6454
Sep 29, 2009, 10:58 AM
Thats why you jailbreak, and download privacy.

Then they cant do anything :D. Jailbreaking wins again!

Privacy doesn't protect in this case. Privacy only works for ads that collect information inside the app. These developers however, make the app itself (not the ad) gather your phone number and beam it back. So this time the only way to solve the problem is to either:

1. Pull the App
2. Modify the app to delete or modify the code and prevent it from collecting your #.

bruinsrme
Sep 29, 2009, 11:03 AM
In Privacy settings, do you want the toggles ON or OFF to prevent information being shared. They came set to OFF but I changed them to ON. Not sure which one I need. Thanks!

OFF

look here (http://forums.macrumors.com/showthread.php?t=769967)

dbwie
Sep 29, 2009, 11:09 AM
I have never been called by an app developer, but if it ever happens, I will treat him/her the same way I used to treat telemarketers... which is "not well" :D

f00f
Sep 29, 2009, 11:29 AM
The one thing here that is supposed to keep applications "safe" for the end-user is Apple and their screening process. Quite obviously this process has failed if applications are allowed to take personal data of any kind unbeknownst to the user.

There's a certain level of trust that is required to install an application on any type of computing device. There's a zillion apps on the App Store written by Joe Schmoes, who, quite frankly, are not worth one iota of trust directly from the user. Instead Apple acts as the middle man, screens the app and clears it for publication on the store (thus establishing trust w/ the developer). Then the users, via their trust in Apple (not the developer, 'cause who knows who half these clowns are), download and install the app.

I don't know anything about Apple's app screening process. I assume it's pretty rigorous. Apparently it needs to be more rigorous, else the lawsuit-happy people will go to town on this one, claiming they trusted Apple and yet their privacy was violated by a third-party. :rolleyes:

On a side note, this kb article quoted in one user's signature (http://support.apple.com/kb/HT3743) is kind of funny. I particulary LOL'd at

Compromised security: Security compromises have been introduced by these modifications that could allow hackers to steal personal information, damage the device, attack the wireless network, or introduce malware or viruses.

Apparently if you install a shady app from the App Store this could happen too. :rolleyes:

Xian Zhu Xuande
Sep 29, 2009, 12:04 PM
As far as I know Apple screens for this. I'm not surprised at all that apps can access your phone number. It seems like rather important information for specific app features, especially as they might relate to your address card or interacting with your phone.

We haven't heard a lot about this and I haven't seen people complaining in reviews. It is certain that the occasional attempt would slip through Apple's cracks and I hope they resolve it. On other open platforms that offer application integration with certain core features this would slip by without even a review process.

Xian Zhu Xuande
Sep 29, 2009, 12:11 PM
On a side note, this kb article quoted in one user's signature (http://support.apple.com/kb/HT3743) is kind of funny. I particulary LOL'd at

"Compromised security: Security compromises have been introduced by these modifications that could allow hackers to steal personal information, damage the device, attack the wireless network, or introduce malware or viruses."

Apparently if you install a shady app from the App Store this could happen too. :rolleyes:
I jailbreak my own phone, so obviously I'm not on-board with Apple's warnings, but like it or not, what they say is true. A jailbroken app can do anything it wants with your phone and the information on it and the only check you can enjoy against this is what the public at large is aware of. All the things described by Apple are possible in a jailbroken app specifically because there is no review process against a developer.

What's overstated about this is that it isn't so different from your computer in this regard. An app you deliberately choose to install for your computer could also contain a virus, harvest your information, or more. As the user, you choose to avoid apps which seem shady or too good to be true. I would wager that a jailbroken iPhone also has less checks and measures against further system modifications made by an application which has already been installed.

If people stick to trusted distribution sources I doubt this is going to become an issue. I do think, however, that it is disingenuous to tie this observation in with an app which has facilitated phone spam.

I hope Apple identifies and removes the app, and takes inventory of their review process as it relates to preventing this sort of thing.

spillproof
Sep 29, 2009, 01:20 PM
aw hell naw! This is BS. Pure BS. Some developers stoop so low.

kainjow
Sep 29, 2009, 01:21 PM
Wow. I would expect Apple to screen for this. If not shame on them. Also, it would be really nice to know what apps do this and have them listed in case we are running something we wouldn't otherwise.
They do. About a year or so ago I worked on a project and we used the private API to get the user's phone number as a unique identifier. Apple rejected the app, which was expected.

Uh the SDK has, and always has, had complete access to your entire address book. This is pretty obvious if you use any contact sharing apps like Bump.

However this requires that the user actually has their own contact in Address Book. I would think not everyone does.

The API mentioned is really a single line of code. It is a private method, meaning Apple does not support it and does not want you using it. They have ways of checking to see if you are, but there are workarounds that Apple probably doesn't have checks for.

bignumbers
Sep 29, 2009, 02:29 PM
There's nothing new here - the AddressBook API (available on both Mac and iPhone) allows access to the AddressBook database. These aren't private API's, they're public and well documented by Apple. As they should be - many good apps use them.

On the Mac (since 10.2 or 10.3) there's been API access to the "Me" card. So any Mac app can get the users' contact info and do whatever with it. That's how software works - if you don't trust the software, don't run it.

I don't think the "Me" card is directly accessible on the iPhone SDK (I didn't look very hard), but since the full Address Book is there anyway it wouldn't be hard to search and make a good guess based on other parameters.

Using a private API is something Apple does try to catch. They don't always catch them, especially if an app masks the call (by, say, not using the call until it's been installed for a week thus bypassing Apple's checks). But again, all of this info is available via public API's.

The privacy problem IS against Apple's rules, so if they catch a developer doing such a thing they will pull the app (as they've done before).

I have argued that an appropriate solution to this problem (if one calls it a problem, it's really just a concern) is to cover the Address Book API's with user confirmation, like accessing your location. This way the user must approve an app's access to private user data. There's no telling what an app can do with that data (just like location data). But it's a valid and understood method of protection.

But keep in mind none of this is new, since the same API's have been around on the Mac for a very long time. Anyone freaking out because it does so on a smartphone should hide under a rock and shut the hell up.

kainjow
Sep 29, 2009, 02:43 PM
But keep in mind none of this is new, since the same API's have been around on the Mac for a very long time. Anyone freaking out because it does so on a smartphone should hide under a rock and shut the hell up.

Actually, it is new. As I touched on in my previous post, the iPhone has a single C function that returns the device's phone number. It is completely unrelated to the Address Book API, which does let you access the "me" record, if it's available. To be specific, the function is in the CoreTelephony framework, which is not a part of Mac OS X.

SpaceKitty
Sep 29, 2009, 02:48 PM
Actually, it is new. As I touched on in my previous post, the iPhone has a single C function that returns the device's phone number. It is completely unrelated to the Address Book API, which does let you access the "me" record, if it's available. To be specific, the function is in the CoreTelephony framework, which is not a part of Mac OS X.

The iPhones phone number can also be edited on the sim card so that it shows a different phone number without actually changing the phone number of the phone itself. This is the number that iTunes shows and it is also the number shown at the top of the contacts list.

CHange the number by going to settings/Phone/My Number. Again editing this won't change the actual phone number of your phone, but only the number that is shown on the phone itself and in iTunes and it too should fool these apps....

Spades
Sep 29, 2009, 03:26 PM
Nothing new here, really.

http://aviary.com/bizblog/posts/idrive-spammed-my-gmail-contacts

Just because Apple is approving all the apps doesn't mean you can drop your guard.

As a side note to the above story, iDrive has not stopped spamming as they claimed. I got spammed by them at multiple addresses weeks after their claim they would stop.

html
Sep 29, 2009, 03:44 PM
Not good

twoodcc
Sep 29, 2009, 08:15 PM
oh man, this is scary! i hope apple is working on a fix quick!

baddj
Sep 29, 2009, 09:07 PM
Looks like apple is going to lose out on a iphone sale. As i do not want to get in to this crap.

trrosen
Sep 29, 2009, 10:14 PM
Looks like we may finally have validation for Apple's kill switch. This is exactly the kind of thing it should be used for.

trrosen
Sep 29, 2009, 10:20 PM
the iPhone has a single C function that returns the device's phone number.

Well duh... so does every other phone in existence. Its sort of a necessary thing.