Apple to Require Explicit Permission for iOS Apps Accessing Address Book Data

[mw360]

Everything else, not buying it. The massive flood if information on the Internet makes it unlikely that anyone could even possibly connect the dots for relationships based solely on contact info. Heck a major problem with social networks is that there is TOO much information that they can't find easy patterns of behavior, motivation, etc.

Hey there, I can understand your position, but consider this. Sooner or later one of these shaky outfits is going to get a visit from "Anonymous" or some of their friends, and the entire database of contact information is going to be posted shamelessly online. From there it will be utterly trivial to build a searchable resource of not just users of that app, but everybody those users knew, possibly including you. And it could include phone numbers, email addresses, physical addresses, dates of birth, even notes like names of children, anniversaries etc. that people sometimes add to their contacts to make it seem like they're really good at remembering stuff.

That's the scary thing, its not a database of what you've published about yourself, its a database of what other people have written in private about you.

So, want to know where a celebrity lives? Just look them up. Want to put a competitor out of business? Look up who his clients are and drop them a line. Want to pull off a phishing scam? Call someone armed with their name, address and the name of their financial adviser. Need some quick cash? Look up all the phone numbers of houses in your street and call around to see who's not home today. Want to bully a kid? Just look him up and see if his parents know a divorce lawyer, or adoption agency. Got other interests in kids?..Well lets not go there, you get the idea...

 

[gnasher729]

Serious question, what is there to "protect" in your address book? The name/number of your bookie? Your favorite escort service? Seriously, I really want to know what can be so scandalous in a phone book that you wouldn't want people seeing? And if there is something there, wouldn't it have been a good idea to not have it there in the first place?

The information in my address book that I wouldn't want a company to access and copy to their servers isn't "scandalous". It is private. It is non of their ********** business.

 

[marcusj0015]

Users ought to know what permissions an app requires -- before it is purchased. Optional permissions (e.g., Camera will still operate as a camera, without access to Location information) can be requested as needed when the app is executed.

But then that permission is required to prompt the user every single time, which is the most annoying thing ever.

 

[faroZ06]

Ah great, more annoying popups. It is already bad enough that Autofill is disabled by default, and iOS has to keep asking if you want stuff to know your location.

Paranoids ruining it for all of us.

 

[0098386]

Serious question, what is there to "protect" in your address book? The name/number of your bookie? Your favorite escort service? Seriously, I really want to know what can be so scandalous in a phone book that you wouldn't want people seeing? And if there is something there, wouldn't it have been a good idea to not have it there in the first place?

My family contact details.
My home address.
My employers and publisher details.

There's a wonderful list you can be put on in the UK that makes it illegal for companies to "cold call" you. It's wonderful! On the rare occasion (twice a year?) that I get a cold call I tell them I'm on the list and bam, they hang up straight away. I, and everyone else I seem to know, is x directory. They're not in phone books.

I only want the people who I want to know, to know my phone number.

 

[thai4life]

Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A405 Safari/7534.48.3)

hehehe @ some apps also being able to access our photos without permission, too. Scandalous. Genius. And Pathetic all at the same time.

 

[aggri1]

I find those annoying blue pop-ups really annoying. ;-) I keep getting the one about not having network access whenever I leave the house and then open up, say, the BBC news app (which I had had open earlier and now wish to read all the articles that were downloaded at home).

It'd be nice if we could disable some of those pop-ups.

I was under the impression that it was generally accepted that too many warning messages interrupting use dilutes the perceived importance of the messages, as users just click "Ok" or whatever out of habit. Wasn't the warning system implementation of Windows Vista a common target for criticism?

 

[marcusj0015]

My family contact details.
My home address.
My employers and publisher details.

There's a wonderful list you can be put on in the UK that makes it illegal for companies to "cold call" you. It's wonderful! On the rare occasion (twice a year?) that I get a cold call I tell them I'm on the list and bam, they hang up straight away. I, and everyone else I seem to know, is x directory. They're not in phone books.

I only want the people who I want to know, to know my phone number.

wtf is a "cold call"?

America has a national do not call registry...

 

[Mr. Retrofire]

They need to ask permission for everything. Camera, photo library, music.....all of it.

I agree. They should secure the system as much as possible.

@all "anti-privacy" people:
How much do you need to lose? 100 % privacy & 100.000,- US$, or what?

 

[Joshwawilson]

Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A406 Safari/7534.48.3)

Haha I love it!!

 

[BaldiMac]

If that's true, how did all these apps get into the App Store to start with? I mean, they all had to go through the approval process from Apple to get in the App Store, and that is one of the main excuses for Apple being able to have such control over apps -- to protect users from malware and spyware they might contain.

Apple certainly doesn't hesitate to reject apps for all sorts of vague reasons. Are they completely ignoring what the apps is doing with its network access because they're too busy looking for private APIs or something else that competes with their own software products?

Now that Apple is aware of these developers breaking the rules, what action is Apple going to take against them? Will their Apps be pulled, or are they just going to get a slap on the wrist?

There wasn't actually any malware or spyware involved here. As far as I can tell, all the apps involved uploaded the data for legitimate purposes. The problem was just that they did it without the consent of the user which is a legitimate privacy concern.

Ah, yet another reason to put off buying an i-Device a little while longer until you guys are finished getting all the "privacy bugs" worked out.

What are you using in the meantime? A feature phone? None of the other major smartphone platforms have any security that would have prevented what happened with Path.

 

[turbobass]

So what about all the apps that uploaded the address books already? Do they have to give it up (lots of luck with that)? How do we know they are not selling the info to 3rd parties?

I would personally like to see legislation made possession of this information without explicit opt-in illegal. A cultivated address list only breaks the traditional conception of "intellectual property" in the sense that it is more utilitarian than most IP, which in fact makes it more "property" than an abstract thing that other people are allowed to gank without extremely explicit confirmation.

Then again I live in California, where they have confusing and unhelpful laws about all kinds of things people do all the time anyways.

 

[TwinMonkeys]

Ah great, more annoying popups. It is already bad enough that Autofill is disabled by default, and iOS has to keep asking if you want stuff to know your location.

Paranoids ruining it for all of us.

Not sure if serious?

I hate popups too (and think that Apple can probably do a better job with the look and feel of them) but this is a serious privacy and security issue for people. In some cases, a massive one. It's a big deal if certain people's address books get stolen. Given that Apple's philosophy is to control the entire platform to ensure a better user experience, this is just a natural move for them. Most online privacy issues can be prevented by common sense. Particularly problematic for many people is seeing how they post personal information on social media, neglect to use privacy settings, and are surprised when their personal information is stolen weeks later. This is a good move to protect people that are otherwise unaware of these types of issues. Given stuff like http://www.dirtyphonebook.com and other stuff that can't be removed and with Google making all of this information widely available, being vigilant about this is pretty critical and Apple applying this feature to the OS is a smart business move when you consider the type of heat that Facebook takes over privacy. Facebook can do a bit more to prevent people from accidentally messing up their own lives by encouraging more sensible defaults, but in the end people have to be smart about what they post about themselves online, and this doesn't solve all potential problems. Apple probably erred in not including this in the first iPhone given the security and privacy implications inherent here. But beyond just depending on Apple to protect you, make sure that your privacy settings are set up right on Facebook. The vast majority of people don't understand what's visible and not visible and that's pretty scary.

 

[faroZ06]

You do realize that Apple is going to copy Android's approach to solve this problem, right?

A.K.A. use the only approach there is?

----------

Not sure if serious?

I hate popups too (and think that Apple can probably do a better job with the look and feel of them) but this is a serious privacy and security issue for people. In some cases, a massive one. It's a big deal if certain people's address books get stolen. Given that Apple's philosophy is to control the entire platform to ensure a better user experience, this is just a natural move for them. Most online privacy issues can be prevented by common sense. Particularly problematic for many people is seeing how they post personal information on social media, neglect to use privacy settings, and are surprised when their personal information is stolen weeks later. This is a good move to protect people that are otherwise unaware of these types of issues. Given stuff like http://www.dirtyphonebook.com and other stuff that can't be removed and with Google making all of this information widely available, being vigilant about this is pretty critical and Apple applying this feature to the OS is a smart business move when you consider the type of heat that Facebook takes over privacy. Facebook can do a bit more to prevent people from accidentally messing up their own lives by encouraging more sensible defaults, but in the end people have to be smart about what they post about themselves online, and this doesn't solve all potential problems. Apple probably erred in not including this in the first iPhone given the security and privacy implications inherent here. But beyond just depending on Apple to protect you, make sure that your privacy settings are set up right on Facebook. The vast majority of people don't understand what's visible and not visible and that's pretty scary.

It's going to ask you when something USES your info, not just when it sends it. A lot of apps use your info for little things. Now, if they have an option to just always allow for everything, that would be fine, but they don't for other stuff.

Besides, it's unlikely that a mass collection of information is going to affect people individually. The worst that can happen is the server that has it gets hacked, and someone has access to people's email addresses and phone numbers. They aren't going to sift through each one and ruin every person's life by knowing some of their info. It's not passwords and secret things. Some people are worried about their info being out there (I never put my real name online just to stay anonymous), but they should consider those who don't care if a site temporarily stores their friends' phone numbers.

What I want is an option to not allow certain apps to use your internet connection. Every time I open Bloons or something, it asks me to join a wifi network to save my high scores and other junk. Also, once/if I jailbreak, I am going to screw up the Game Center so it can never bother me again.

 

[Rodimus Prime]

What are you using in the meantime? A feature phone? None of the other major smartphone platforms have any security that would have prevented what happened with Path.

Minus users would of known about it day one as the apps permission would of been told to you when you installed it.
Apple lags big time in this department and the only one that does not list the permission. BlackBerry is convoluted but there. Andriod and Windows Phone crystal clear and easy. IOS has it no where and should be there.

 

[faroZ06]

I love my 2005 "dumb phone".

My parents forced me to take my mom's iPhone 4 recently. Man, how are you supposed to talk on a flat brick? I still like my flip phone.

----------

what's in my phonebook that I don't want other people to know?

- my GF's contact info (we get already enough mail/email/phone calls from nutcases and stalkers that we have a dummy phone that we ignore)
- friends contact info that are CEO's and such who have public and private contact infos. they would be mightily **** if their private info goes out.
- business partners contact info
- my lawyer
- my physicians contact info
- my shrink (I'm kidding but it is actually serious. you don't want other people to know that you see a shrink)

Honestly, can't you imagine that a person doesn't want their entire list of business clients uploaded to the servers of five different developers?
Can't you imagine that I'm worried that several of my physicians own iPhones and that developers know who their patients are? Including the birthdates, adresses and family members of those patients?

What are developers going to use that info for? I agree that it shouldn't be collected, but now we have popups for apps that just use your name or something in the app. Google Voice uses my contacts so I can send messages to those people.

I'll just not update and jailbreak.

----------

One more thing to consider - it is absolutely NOT in the best interest of these businesses to be giving away this contact information, even if they sell it. Imagine how fast something like Twitter would implode if it was discovered that it was selling your contact book to third parties. They hold your contacts for 18 months, they could easily do that.

The reason they don't do things like this is because the company would quite simply die a very fast and public death. It would lose all value once people turned against it. For that reason, above all others, I don't ever see companies that have our contact information truly having an impact on anyone's privacy. Because if it did, you could say goodbye to that company faster than a New York minute.

I totally agree.

 

[DJHonda84]

I'm optimistic that additional pop-ups won't be a big deal. Hopefully, app developers will remove non-critical contact access as a result of this added visibility. I wouldn't expect to see a contact access concent prompt in apps that don't require it, just like not every app results in a location access prompt.

Each pop-up would only occurr once per app. As I don't download new apps on a frequent basis, I could get triple the number of such pop-ups and not be annoyed. How often do you anti-pop-up folks download new apps??

To those saying that developers wouldn't share your info: Developers' systems can be hacked...

 

[vbouret]

Posted 3 1/2 years

I have raised this concern about the Contacts API 3 years and a half ago, right when the original iPhone SDK came out!
https://forums.macrumors.com/threads/519721/

 

[faroZ06]

I'm optimistic that additional pop-ups won't be a big deal. Hopefully, app developers will remove non-critical contact access as a result of this added visibility. I wouldn't expect to see a contact access concent prompt in apps that don't require it, just like not every app results in a location access prompt.

Each pop-up would only occurr once per app. As I don't download new apps on a frequent basis, I could get triple the number of such pop-ups and not be annoyed. How often do you anti-pop-up folks download new apps??

To those saying that developers wouldn't share your info: Developers' systems can be hacked...

Every time I open certain apps, they first ask for wifi, then location services, then the app itself tries to sign my into Facebook. I have 5 Facebook accounts, none of which have my real info on them, and all of them have been banned for spamming. It's a waste of time.

 

[SeaFox]

There wasn't actually any malware or spyware involved here. As far as I can tell, all the apps involved uploaded the data for legitimate purposes. The problem was just that they did it without the consent of the user which is a legitimate privacy concern.

Path is a social networking app, it would be used to share information with a select group of people. Sending Path the lists of folks you want to share your info with, and the details of those contacts needed to carry out those functions I can understand, but why would Path need your entire phonebook to do this? Sorry, that's not a "legitimate reason". And this is a social networking app we're talking about here, which is the category of apps that would have the largest need to have access to this kind of information.

Please name an app that has a truly legitimate need to have access to the phone numbers, addresses, and names of every contact in your phonebook and keep a copy of this info on their own servers. The only example I can think of is contact syncing services, and since you can get an iCloud account for free there's not going to be a big market for them on the App Store.

P.S.- Collecting personal information without a valid reason for having this info is the dictionary definition of Spyware.

What are you using in the meantime? A feature phone?

Yeah. It stores my contacts information and the only person who can have access to it is the person holding the phone (unless I use the sync software)... i.e. ME.

What a novel idea.

But the comment about holding off on buying an i-device was really because I was planning to get one after Christmas since I have a MobileMe account I'll be transitioning to iCloud soon. But now I'll wait longer on purpose, whereas before I was just a little broke after the holiday gift-buying.

 

[BaldiMac]

Minus users would of known about it day one as the apps permission would of been told to you when you installed it.
Apple lags big time in this department and the only one that does not list the permission. BlackBerry is convoluted but there. Andriod and Windows Phone crystal clear and easy. IOS has it no where and should be there.

That's just not true. When you download an app like Path on Android it informs you that it will need to access your contacts. Of course, you expect that. It's a social app. The problem wasn't that Path had access to the contacts, it was that it uploaded those contacts to its server. Android does nothing to prevent that.

----------

Path is a social networking app, it would be used to share information with a select group of people. Sending Path the lists of folks you want to share your info with, and the details of those contacts needed to carry out those functions I can understand, but why would Path need your entire phonebook to do this? Sorry, that's not a "legitimate reason". And this is a social networking app we're talking about here, which is the category of apps that would have the largest need to have access to this kind of information.

Please name an app that has a truly legitimate need to have access to the phone numbers, addresses, and names of every contact in your phonebook and keep a copy of this info on their own servers. The only example I can think of is contact syncing services, and since you can get an iCloud account for free there's not going to be a big market for them on the App Store.

P.S.- Collecting personal information without a valid reason for having this info is the dictionary definition of Spyware.

From the CEO of Path, "We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path. Nothing more." Nothing nefarious here.

 

[SeaFox]

From the CEO of Path, "We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path. Nothing more." Nothing nefarious here.

• Yeah, I've never heard of a CxO lying for PR reasons.
• The info can be transmitted one time to do a search of Path's userbase, then deleted afterwards.
• When a friend or family member joins Path they can do the same thing, and will locate person A. Or person A can have Path rerun the search themselves manually.
• Maybe you don't want to link every social account you have to every person on your address book? It's a known fact activities mentioned on social networking sites can have a detrimental effect on professional relationships, whether the activities are legal or otherwise. Do I want the boss in my phone book to made aware I have an account here? Once again, this is an issue where the company is taking proactive liberties in the name of "convenience".
• Was the user told the data would be uploaded and stored in this way? Did they give consent? No? Then it's still spyware.

 

[BaldiMac]

• Yeah, I've never heard of a CxO lying for PR reasons.
• The info can be transmitted one time to do a search of Path's userbase, then deleted afterwards.
• When a friend or family member joins Path they can do the same thing, and will locate person A. Or person A can have Path rerun the search themselves manually.
• Maybe you don't want to link every social account you have to every person on your address book? It's a known fact activities mentioned on social networking sites can have a detrimental effect on professional relationships, whether the activities are legal or otherwise. Do I want the boss in my phone book to made aware I have an account here? Once again, this is an issue where the company is taking proactive liberties in the name of "convenience".
• Was the user told the data would be uploaded and stored in this way? Did they give consent? No? Then it's still spyware.

Sure, they could have done stuff differently. I'm not sure what your point is here. A key part in the definition of spyware is malicious intent. There is no evidence of that here. Just stupidity.

 

[michelepri]

I'm very glad Apple fixed the issue

My perception of IOS is that it's already a very safe OS. This will just make it safer. But they should change the look of Address Book, back to what you see in Snow Leopard.Lion and IOS looks are just obscene, back to some PC apps of the first part of the 1990s, replicating the look of a real agenda, as if they wanted to tell us : "Look how cool this program is, it makes your agenda look just like the real thing! Magic!". Same thing goes for the notes, with the kids handwriting.

 

[gkpm]

Minus users would of known about it day one as the apps permission would of been told to you when you installed it.

No the users wouldn't know, because permissions on Android don't tell you "read the contacts and send them to our servers"...

They tell you the app needs "network access" - typical for a network app - and "read contacts" (odd, but maybe it's for an in-app phonebook?) - these amongst 10 or so other permissions. Can the user really know what the app will do from that?

Then you wanted the app on your Android phone you have to accept everything - at install time. Question: do you know why an app would need something, before installing it? Maybe it has a neat feature that uses it, who knows - you've never seen the app! It's the worse time to ask this.

Once you do install, that's it. The app now has access to everything it said. Want to stop it? Only way is to deinstall.

Finally if Android permissions are as great as you make them why weren't these companies already getting grilled over why their apps needed READ_CONTACTS permission?