When you download an application, you’re giving it a certain level of trust. We’ve all been in the position where we download an application and within minutes we’v been asked multiple times to “log in with Facebook to invite all your friends.” We quickly remove the application. What if the application covertly uploaded everyone one of your address book contacts to its own servers? Unfortunately, that’s the case with Path, a popular iPhone social app that we’ve covered here in the past. The fact was broken this morning by Arun Thampi, a blogger in Singapore.
Arun was looking at the Path application with the goal of creating a Path app for Mac OS X, and was hacking the current version of the application when he saw that Path was making some strange calls back to the Path servers at their home base. He looked carefully at the calls and saw one relating to adding contacts, and dug further. This is what he saw:
Upon inspecting closer, I noticed that my entire address book (including full names, emails and phone numbers) was being sent as a plist to Path. Now I don’t remember having given permission to Path to access my address book and send its contents to its servers, so I created a completely new “Path” and repeated the experiment and I got the same result – my address book was in Path’s hands.
As Arun says, this information was transmitted without any permission being given to the Path app, which is a big no-no.
Dave Morin, the CEO and founder of Path, quickly got on the blog and has responded everywhere he can to these facts. They “take this very seriously,” and are changing their application to be opt-in for this functionality. That said, it was a bit of a deflection and many, including the commenters on Arun’s blog are still wondering why they uploaded the actual data when they could just use references to the user’s friend data instead, which would allow people to keep their privacy. It’s a good question and a very standard solution.
Read Dave Morin’s response as the top comment at the blog post here.
Image: gualtiero boffi via Shutterstock