Address Book Stories December 7, 2013
Address Book Stories April 30, 2013
Today a number of reports are flowing in claiming that social network app Path is sending spam messages to people listed in the user’s address book. The issue apparently isn’t new with some Android users on Reddit experiencing the spam a few months back, while a growing number of users on Twitter today have complained of their contacts receiving both spam text messages and calls. The messages, as pictured right, say the user has photos to share on Path and urges the recipient to downed the free Path app.
Address Book Stories July 26, 2012
Morcut/Crisis Mac malware capable of monitoring location, webcam, address book, more
We told you yesterday about the Trojan named “Crisis“, also being referred to as “OSX/Morcut-A”, discovered for OS X, but it is considered low risk for users. Today, we get some more details about the trojan with security company Sophos explaining the Morcut Malware features code for controlling the following:
- mouse coordinates
- instant messengers (for instance, Skype [including call data], Adium and MSN Messenger)
- internal webcam
- clipboard contents
- key presses
- running applications
- web URLs
- internal microphone
- calendar data & alerts
- device information
- address book contents
The malware appears to have been specifically created with spying on the user as its goal. There have not been any reported cases of infected users, though, so the threat is still considered low risk.
Address Book Stories July 19, 2012
Although we are often skeptical of reports from security companies, a new report today from BitDefender highlighted just how important Apple’s new data isolation privacy initiative is in iOS. Starting with the public release of iOS 6 this fall, users will now be prompted to allow access to apps that want personal data such as contacts, calendars, reminders, and photos. However, until then, BitDefender claimed approximately 18.6-percent of the 65,000 iPhone apps included in its study can still access a user’s address book data, while 41 percent can track location.
“It is worrying stored data encryption on iOS apps is low and location tracking is so prevalent. Without notification of what an app accesses, it is difficult to control what information users give up… “We see a worrying landscape of poor user data encryption, prevalent location tracking and silent, unjustified, Address Book access.”
Address Book Stories February 16, 2012
Apple’s merging of iOS with OS X continues today with our first glimpse at 10.8 Mountain Lion, the next major OS release for Macs. Of course, in the process of bringing the best of both worlds together, some things win out. In the case of Mountain Lion, several apps and features were replaced with their iOS counterparts. Here is everything from past OS X releases that died today at the hand of Apple’s iOS-ifying of Mountain Lion:
Address Book Stories February 15, 2012
The app development world went into a frenzy when social network app Path was caught uploading users’ address book information without asking for permission last week. We already gave our view on the matter, but Forbes reported on a study by University of California at Santa Barbara yesterday that found Cydia apps leaked private data less than apps available on the iTunes App Store.
The group built a tool called PiOS that analyzes iOS apps for private data leaks. It looked at 1,407 free apps: 825 apps from the App Store; and, 526 apps from Cydia’s repository the BigBoss.
The findings indicated 21 percent of the App Store apps tested uploaded a users’ iOS device’s UDID, 4 percent uploaded location information, and .5-percent uploaded users’ address book—like Path did. When it came to the 526 apps tested on the BigBoss repo, only 4 percent leaked users’ UDID, and only one app leaked location and address book data.
Many people are under the impression that third-party apps do the majority of the uploading, but that might not be the case. Perhaps Apple’s new restriction on uploading address book information without permission will help remedy the situation.
You can view the study’s full graph after the break:
Apple responded today to the contacts-sharing issue with a statement indicating it plans to put some form of a setting on contact data that would allow users to control who views the data, similar to the way Apple locks down location data.
“Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines. We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release.”
Congress became involved and probably motivated the move, but the legislative body is not going to like what it hears.
The problem is that iOS apps not only have access to a user’s contacts database (including addresses and notes), but apps also have full and unencumbered access to everything in the iOS app sandbox, such as pictures, music, movies, calendars, and a host of other data. Any of this content is literally open for developers to freely transmit to their own servers while apps are open.
(note that pictures with geotags will pop up a Location dialog which can be averted in code with some well known tricks)
Moreover, approved apps also have access to the iPhone’s camera and microphone, so apps can also take pictures and make recordings without permission (although, this would be easy to detect by the user with the light from the front camera or red bar during audio). Photos, videos, and audio are transmittable securely or insecurely up to servers that you and Apple do not know about.
To developers, this is no big secret. It is not trivial, but putting that kind of functionality into an app is straightforward and only uses Apple’s publicly available and blessed developer APIs (which means this stuff will not likely be detected by Apple’s App Store approval process).
Obviously, shady developers and even government entities are probably already using such apps to gather information. Therefore, these are some scenarios:
Apple officially responded to the mounting privacy concerns related to how third-party iOS apps access address book data on users’ devices. Tom Neumayr, a spokesperson for the Cupertino, Calif.-headquartered gadget giant told AllThingsD’s John Paczkowski:
Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines. We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release.
So, there you have it. A forthcoming iOS software update will make sure no app can get access to iPhone contacts without your explicit approval. We are inclined to think Apple should not limit user approvals to just location data and contacts. While we are at it: Why not implement toggles for accessing the camera roll, photo library, and even your music library for that matter? This stuff is just waiting to be uploaded by rogue apps. By the time Apple discovers those violations and pulls misbehaving software from the App Store, it will already be too late and the damage will have been done. Any thoughts?
The Path debacle just took another turn for the worse with House Energy & Commerce Committee Ranking Member Henry Waxman and Commerce Manufacturing and Trade Subcommittee Chair G.K. Butterfield issuing a letter to Apple CEO Tim Cook (via The Next Web). In it, the legislators seek to find out whether Apple is doing enough to protect personal data on users’ iPhones, including their contacts. Specifically, the letter asserts there have been claims that the practice of collecting address book data without users’ consent is “common and accepted among iOS app developers.”
As a consequence, the legislators argue, “This raises questions of whether Apple’s iOS app developer policies and practices adequately protect consumer privacy.” They want Apple to respond to questions by Feb. 29. Apple is asked to detail its App Store review practices in respect to protecting users’ information. Whichever way you look at it, it is hard to escape the notion that everything on your iPhone is waiting to be uploaded.
As you know, with the exception of location services, iOS does not prompt users when apps tap APIs to access personal data stored in an iPhone’s address book, camera roll, music library and other places. This also includes little things such as geolocation information embedded in image files taken on the device. This is bothering the legislators and now they want to know why Apple has not implemented a simple toggle that lets users control access to their data other than location.
You have built into your devices the ability to turn off in one place the transmission of location information entirely or on an app-by-app basis. Please explain why you have not done the same for address book information.
We included the letter in its entirety below the fold.
Address Book Stories February 7, 2012
Blogger Arun Thampi discovered something that may or may not sit right about the free social media app Path while packet sniffing the app last night. Upon first installing the app and registering for an account, Path sends each one of your contacts in your address book to their server via a. plist. The .plist includes full names, phone numbers, and e-mails.
Path makes the call “https://api.path.com/3/contacts/add” when you first create an account, and it uploads all your contacts to its server. In most people’s mind, this obviously makes them feel a little uncomfortable. Thampi details the technical aspects of this, and how you can recreate it yourself, in his blog post.
Path’s Cofounder and CEO Dave Morin commented on the situation and said iPhone users will soon be able to opt-out of the setting in an update that will roll out to the App Store shortly. Nevertheless, does that really change anything? He did not really explain why Path is doing this, and your entire address book is still on their servers. You can read Morin’s comment after the break:
Address Book Stories January 18, 2012
Apple seeded its registered developers last night with a new version of Mac OS X Lion 10.7.3. The software carries a build number of 11D46 and arrives just a week following the 11D42 build. It has no known issues, indicating that public release is around the corner. Developers are asked to focus on iCloud Document Storage, Address Book, iCal, Mail, Spotlight and Safari. The Delta update weighs in at 996.98MB and combo update is a 1.26GB download. The OS X Lion Server 10.7.3 build 11D46 is also available for download (Delta:1GB, Combo: 1.34GB, Server Admin Tools: 202.59MB). Additional build notes after the break.
Address Book Stories December 20, 2011
Apple released OS X 10.7.3 build 11D36 to developers this evening, and it is available on the Developer Center. Apple asked developers to focus on iCloud Document Storage, Address Book, iCal, Mail, Spotlight, and Safari. The delta update of this build tops out at 986 MB and the combo update weighs in at 1.25 GB. The OS X 10.7.3 should roll out to Lion users in the coming weeks, so sit tight.
Address Book Stories November 15, 2011
Apple has just begun seeding OS X Lion 10.7.3 (11D16) to developers this afternoon. The set focus areas for this release are iCloud document storage, Address Book, iCal, and Mail. 10.7.3 weighs in at 633MB, and has no known issues right now. OS X Server 10.7.3 is also accompanying today’s update, with the same focus areas and build number.
Release notes after the break: