There has been a lot of outrage in the past week after it was uncovered that some iOS apps have been ‘stealing’ the data in your Address Book and sending it all to private servers. The apps, such as Path, Instagram and possibly Twitter, then presumably use this data to help to obtain new users or to guide you how to follow based on people that are already in your Address Book. I can’t really imagine that they would really need to use the data for anything else and it makes sense that you could utilize the various APIs to send lots of addresses at once so that the server could then reply with the usernames of the users in your address book. However, some of the data may be stored on the servers.
Most people’s (or Congress’) problem with this is that all of this has been happening without the direct permission of the users. Any iOS app that you install is able to access pretty much anything on the system but on the basis that Apple has already approved the app it should be OK. Because Apple obviously can’t check through all the code that an app uses it is hardly a surprise that they didn’t spot that the apps were submitting this data.
In the future apps will now have to post a message to the user telling them that the app would like to access Address Book data however it will still be technically possible to access the data anyway.
What this incident has essentially highlighted is a major flaw in the iOS security system. Android apps require specific permissions to allow code to run to do things like write to the SD card, change the wallpaper, use the camera, use the Internet and access the Address Book. Examining the Android app for Path we can see that it does request some of these permissions which are granted by the user when they install the app. This means that Google have to do a lot less work reviewing apps and it also means that Android apps are a lot more sandboxed on the device.
I should imagine that this will leave Apple in a position where they need to start implementing permissions to ensure that users remain safe because at the end of the day they can’t pick up everything by using humans to review apps.