Apple: Future iOS release will require user permission for apps to access address book
Following discussion prompted by the Path app's unsolicited address book uploads and a letter from members of the US Congress, Apple has confirmed that an upcoming version of its iOS mobile operating system will require user permission for apps to access a user's contact data. Speaking to AllThingsD, an Apple spokesman said that "Apps that collect or transmit a user's contact data without their prior permission are in violation of our guidelines," adding that, "We're working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release".
The announcement comes after further user data retrievals by other iOS, and Android, applications came to light. Speaking to the Los Angeles Times, Twitter confirmed that its own iOS app also uploads names, email addresses and phone numbers to the company's servers – as soon as someone uses the app's "find friends" feature. The company said that it stores this data for 18 months.
Twitter offers an option to remove any contacts that have been uploaded on its web site. In a forthcoming update for the iOS and Android apps, Twitter also plans to add clearer descriptions to the "find friends" feature – instead of "scan your contacts", it will use "upload your contacts" and "import your contacts", a press spokeswoman told the LA Times.
The Foursquare check-in service has also responded to the discussions in the latest update for its iOS app. When trying to find friends, users will now be notified that "address book information" will be uploaded, and they will have the option to disallow the upload. The company emphasises that the data is transmitted securely and will no longer be stored; the Android version doesn't currently display a notification. A few days ago, the Instagram iOS photo service started handling address book accesses in the same way and will now request users' permission before uploading the data.
Tests run by The Verge and Venturebeat have demonstrated that these are by far not the only apps to dip into users' address books in a more or less explicit way. The Foodspotting app is reported to transfer the data to the company's servers in plain text and via insecure connections – a spokesperson has announced that "added security measures" will be implemented in an upcoming update.
While iOS stipulates that apps must request permission before first determining a location, accessing the Twitter accounts that are stored on the system, or even before delivering a push message, notifications that tell users about the retrieval (and upload) of their address and calendar data continue to be at the app developers' discretion. While the app store's regulations clearly state that user data must not be transmitted without the user's prior consent, the current cases demonstrate that a number of app developers have so far not paid any attention to this rule.
Although some developers now appear to be changing their approach, it would be better if iOS generally notified users about such data accesses. The Android Market displays the privileges that are requested by an app during installation, including permission to access the address book, and users can look up their apps' privileges at any time. However, if Android apps don't just access data locally but transfer it to a company server, that behaviour also remains hidden from users unless the developers first provide a warning.