Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple to Require Explicit Permission for iOS Apps Accessing Address Book Data
- Thread starter MacRumors
- Start date
- Sort by reaction score
I never knew that an app could access and forward/save/collect/store my Contacts!!!!!! That's seriously not cool.
Apple has all sorts of warnings in place but not something this obvious?
So now I fear that my 50+ contacts' full name/email/phone/address are being sold/marketed.
Total bull on Apple's side...iOS has been out for years and Apple never thought to ban/deny (not "GUIDELINE") apps from accessing the Contact list?!
Apple has all sorts of warnings in place but not something this obvious?
So now I fear that my 50+ contacts' full name/email/phone/address are being sold/marketed.
Total bull on Apple's side...iOS has been out for years and Apple never thought to ban/deny (not "GUIDELINE") apps from accessing the Contact list?!
This has been around since iPhone OS 2 (before it was called iOS):
It was something that was shown in the first few classes of the Stanford iPhone programming course since 2009.
I never considered it a 'security threat', and it's seems very few people did until just now.
It was something that was shown in the first few classes of the Stanford iPhone programming course since 2009.
I never considered it a 'security threat', and it's seems very few people did until just now.
Any app that is "social" in nature usually requires data from the users address book.
How is the app to find your friends ?. From your address book.
How does a chat app know who you're chatting with ?. From your address book.
How is a cooking app supposed to know who your friends are that are cooking something ?. From your address book.
The list goes on and on.
Any social app uses some aspect of the users address book whether the user knows it or not. On any OS that is using any person in your address book.
I just hope they're careful how they word it; I wouldn't want this to affect apps that just give the user convenient access to address book entries or other such services. For example, a chat client that uses address book to pull up any extra info you have for someone you're talking to.
It's only apps that harvest address book data without you knowing that are the problem, right? I can't understand why these developers think it's okay to do that in the first place.
It's only apps that harvest address book data without you knowing that are the problem, right? I can't understand why these developers think it's okay to do that in the first place.
Because originally there was trust (a lot LESS trust than Android, mind you). Where an app developer might want to use your contact information to, for example, allow you to play a game of scrabble with a friend by showing the friends names.
Now app developers aren't using the information for proper uses, but instead nefarious uses. Which is why Apple is stepping in and restricting the use of these APIs, just like they restricted Location services.
Android is much worse in this regard. There is a lot less security in the OS. Which makes some people happy because they can do 'more' with Android, but it also opens the whole OS up to bad apps. For example, in Android, it's possible for an app to send text messages in a background process while the user is unaware that it is happening, and thus charging their phone bill for text messages. iOS restricts what can be done in a background thread.
I'm fine with an app using my data within the phone for legitimate purposes, but don't really see any reason it would have to upload it to an app company's servers. I hope there's a way to distinguish between the two levels of permission...not just no access or all access.
Yes - and these particular developers should be penalized, but they're not - the public thinks it's Apple's fault, so Apple is dealing with it now.
It's just like laws where a bar serves someone alcohol, and they leave and kill someone driving intoxicated in their car, they sue the bar. Apple is the 'bar' in this case. The bad app developers are the 'drunk drivers'.
When you promise safety through strict and complete regulation - thats not really to be unexpected. Thats one of the downsides of such a ecosystem.
People would assume, rightfully so, that Apple would not permit this sort of behavior - but clearly they have.
1) I am an iPhone user.
2) I am an Android developer.
I've always liked the permissions for building application.The API just throws an exception (with proper information in the logs) if your app does not have the proper permission. This is really the developer's responsibility. There's even a permission to use the internet, so if it is not there, the app should not be able to contact the outside world.
Unfortunately, most users (AKA dumbasses) might see the permissions when they install the app and be clueless about them and click install anyways.
Though, I would like a reminder on first use, like, "This application is about to read your <DO SOMETHING> and profit massively from it. Although you clicked accept without reading the screen when installing, I'm reminding you just now. Now is the time to truly bailout. If you click YES now, then don't come crying, OK?".
And I think it should be a ongoing dialog between developers and project management on whether a permission needs to be added. But that's beyond the point. For example, if a feature requires the android.permission.HUMAN_SACRIFICE, then the developer should bring it up to make sure this is absolutely needed. After all, an app that asks for too many permissions would personally turn me off.
2) I am an Android developer.
I've always liked the permissions for building application.The API just throws an exception (with proper information in the logs) if your app does not have the proper permission. This is really the developer's responsibility. There's even a permission to use the internet, so if it is not there, the app should not be able to contact the outside world.
Unfortunately, most users (AKA dumbasses) might see the permissions when they install the app and be clueless about them and click install anyways.
Though, I would like a reminder on first use, like, "This application is about to read your <DO SOMETHING> and profit massively from it. Although you clicked accept without reading the screen when installing, I'm reminding you just now. Now is the time to truly bailout. If you click YES now, then don't come crying, OK?".
And I think it should be a ongoing dialog between developers and project management on whether a permission needs to be added. But that's beyond the point. For example, if a feature requires the android.permission.HUMAN_SACRIFICE, then the developer should bring it up to make sure this is absolutely needed. After all, an app that asks for too many permissions would personally turn me off.
Major props for this.
Seriously, the constantly appearing modal location services beg request is annoying enough.
Really wish Apple wouldn't respond so instantaneously to every request congress makes. It's going to give them the idea that they can actually control the iOS platform.
responsible bars cut you off and call you a cab
they really should be held responsible if it is found that they let their customer drink past their limit
Android's approach is terrible. It consists of showing a cryptic list of entitlements to the user all at once at the time of downloading. The user can either accept all of them or not use the app at all.
With iOS (At least with location services and notifications right now) the user is asked about a specific permission while using the app. This is much better, because it does a couple things:
1. The user will usually know the reason why an app is requesting the specific permission. On Android you haven't even downloaded the app yet, so you have no clue what you are allowing. If an app requests something right when you open it that you weren't expecting...then you know it is suspect.
2. The user can use an app even if they deny specific permissions (No location, no notifications, soon no address book and maybe others.) Some apps may use location to find local things. If a user just wants to search manually they still can even after denying location services. On Android you would have to disable your GPS in settings to use the app without it, as you have already granted location permissions.
3. Messages about what an app is doing can be more clear, as they aren't in a list with 5 other permissions.
Android's method is more secure "on paper", but the reality is that the majority of android users just click allow on every app they download without really reading through the text, as it becomes meaningless to them after doing it so many times.
Obviously it is better in terms of your address book in this case, but once Apple implements similar controls for it then it will be much better than Android's implementation.
That's when I use the 3rd button (the round one below the display) to quit the app, then kill the app, then delete the app...
...after leaving a 1-star rating and review. Which is what we should all be doing to the Path app (et.al.)
Ugh who cares. Yes, I get that every non-social app does not need my contact list, and therefore they should not be allowed to have it (Angry Birds doesn't need it, they use game enter to be social). But if you're signing up for a social app then just expect it. We're in the age of the Social Internet. Our information is out there, everywhere, that companies have. As long as they don't track where I am all the time, I could care less. Move on to more important things please.
Guys, calm down. Apple isn't BLOCKING ANY APP from requesting Contact data, they're merely putting the question to their users, ALL apps will still have access, they just have to ask permission first.
Users ought to know what permissions an app requires -- before it is purchased. Optional permissions (e.g., Camera will still operate as a camera, without access to Location information) can be requested as needed when the app is executed.
Access isn't the problem. It's transmitting back to the mothership of the developer w/o consent of the user which is a clear breach of privacy regardless of platform.
Perhaps because until the most recent decade, most apps had no online component, and the 'advertising and social mapping' extent was far lower as well.
That and there were database/API inconsistencies that made it more difficult. Phones provide a uniform and predefined method of accessing contact details, most computer software do not.
maybe you know only boring people so there is nothing to protect in your addressbook?
This is all pointless anyway. I can protect my contacts, but mutual contacts of all those people will probably upload everyone on my list anyway, including MY contact details. I don't use Path, or any of the other data stealers, but I bet somebody's got my telephone number and address now.
There's got to be a better solution. Perhaps Apple should provide contact matching services themselves via iCloud so that developers never get access to the raw contact data.
Anyway, one more pesky prompt isn't really going to solve a whole lot. If you want to steal somebody's contacts for nefarious means you just have to make an app that has an excuse for needing access to that data. 'Make sure to press OK at the next prompt!' People are easily duped.
There's got to be a better solution. Perhaps Apple should provide contact matching services themselves via iCloud so that developers never get access to the raw contact data.
Anyway, one more pesky prompt isn't really going to solve a whole lot. If you want to steal somebody's contacts for nefarious means you just have to make an app that has an excuse for needing access to that data. 'Make sure to press OK at the next prompt!' People are easily duped.
Serious question, what is there to "protect" in your address book? The name/number of your bookie? Your favorite escort service? Seriously, I really want to know what can be so scandalous in a phone book that you wouldn't want people seeing? And if there is something there, wouldn't it have been a good idea to not have it there in the first place?
Absolutely. Like I said, at some point you have to trust the developer. If they are found to do something like this, they should suffer the consequences.
What I don't understand is why people are outraged that Apple hasn't done something to prevent this situation sooner.