Risk
2/8/2012
01:25 PM
Connect Directly
RSS
E-Mail
50%
50%

iOS Social Apps Leak Contact Data

Some apps send iPhone address books in unencrypted format to software vendors' servers--a practice that may not be obvious to all users.

10 Top iOS 5 Apps
10 Top iOS 5 Apps
(click image for larger view and for slideshow)
Are your iOS applications sharing your personal information with software vendors?

Wednesday, Arun Thampi, a Ruby and iOS developer, said that he'd discovered that a favorite iOS app, Path--billed by its developer as "the smart journal that helps you share life with the ones you love"--was sending an unencrypted copy of his iPhone address book to Path's servers.

"I'm not insinuating that Path is doing something nefarious with my address book, but I feel quite violated that my address book is being held remotely on a third-party service," said Thampi in a blog post. "I love Path as an iOS app and I think there are some brilliant people working on it, but this seems a little creepy."

The same day, Dave Morin, Path's CEO, responded to Thampi by commenting on his blog post. "We actually think this is an important conversation and take this very seriously," said Morin. "We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and [efficiently] as well as to notify them when friends and family join Path. Nothing more."

Furthermore, said Morin, Path recently made such sharing "opt-in" for the Android version of its client, and said that it would do the same beginning with the 2.0.6 version of its iOS software, which is waiting for App Store approval from Apple.

[ Google researcher argues that social media actually enhances personal privacy. Read more at Google Study: Social Media Enhances Privacy. ]

Inspired by Thampi's post, iOS developer Mark Chang posted to his "more of the same" blog that he'd found similar behavior on the part of another iOS social app, Hipster, which is billed by its developer as "a fun way to share where you are and what you're doing."

"I looked at the apps on my own iPhone for information leakage by other apps," Chang said. "I figured this would be common practice, and lo and behold, when booting up Hipster, it seems like parts of my iPhone address book were being uploaded to Hipster."

In a comment added to Chang's post, meanwhile, "nitrofox" reported that a photo app with social capabilities, Instagram, demonstrated similar behavior. Although as another poster commented, this behavior is noted in the app's FAQ, which states that allowing the app to "find friends" then uploads all contacts "via a secure connection in order to locate your contacts' accounts on Instagram." The FAQ also said, "We currently do not store this information."

According to Chester Wisniewski, a senior security advisor at Sophos Canada, multiple iOS apps are clearly failing to detail exactly what they're doing, and he criticized Morin at Path in particular for pursuing a "have-all-of-your-contact-info-first-and-ask-permission-second" strategy.

The problem is furthermore compounded because, unlike Android, the permission system built into iOS devices "doesn't provide notification of what information an app may be sending to its keepers, aside from location information," said Wisniewski in a blog post. "Where was Apple when the original app was released? The lengthy approval process should be looking out for its customers, not just whether it allows you to tether."

We aren't suggesting these companies are going to use this information against your interests, but should they be collecting this information without your knowledge?" Wisniewski continued. "Additionally, insecurely transporting personal information from your phone book, permission or not, is an unacceptable practice."

Social media are generating tons of data, but that data only becomes truly valuable when examined in context. Attend the virtual Enterprise 2.0 event Social Analytics: The Bridge To Business Value, and learn how social analytics will provide the bridge to unlocking business value. It happens Feb. 16.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0993
Published: 2014-09-15
Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in the Visual Component Library (VCL) in Embarcadero Delphi XE6 20.0.15596.9843 and C++ Builder XE6 20.0.15596.9843 allows remote attackers to execute arbitrary code via a crafted BMP file.

CVE-2014-2375
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to read or write to arbitrary files, and obtain sensitive information or cause a denial of service (disk consumption), via the CSV export feature.

CVE-2014-2376
Published: 2014-09-15
SQL injection vulnerability in Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2377
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.

CVE-2014-3077
Published: 2014-09-15
IBM SONAS and System Storage Storwize V7000 Unified (aka V7000U) 1.3.x and 1.4.x before 1.4.3.4 store the chkauth password in the audit log, which allows local users to obtain sensitive information by reading this log file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant