Path apologises for iPhone address book uploading
Dave Morin, co-founder and CEO of Path, has apologised for the company's uploading of iPhone address book data to its servers saying "We are sorry. We made a mistake". The uploading of the address book by Path's iPhone app was discovered by a user who had been examining traffic sent by iPhone applications. Morin also said that the company was deleting all address book data that it had previously received through the application.
Path had been using the data as part of an "Add Friends" feature, but did not tell users of their iPhone application that their entire address book was being uploaded to Path's servers over an HTTPS connection. Path has now released version 2.0.6 of the iPhone app which allows a user to opt-in or opt-out of sharing address book information. This option has existed for several weeks in the Android version of Path's application.
But concerns about the security of address book information held on the iPhone are being raised. Already, another application, Hipster, has been found to be sending email addresses from the address book, unencrypted and over HTTP, to its servers. The Hipster CEO has also apologised and called for app developers to hold a summit to discuss the issue of address book privacy.
At issue is the lack of protection within iOS of address book data. Although a user's own contact information is well protected, the rest of the address book is easily accessible and needs no authorisation or permissions. Critics are suggesting that it is Apple's responsibility to have an appropriate mechanism in place to restrict address book access as it already restricts access to other information on the iPhone. It is reported that one app developer has created an application which can, on jailbroken iPhones, prompt the user when the address book is being accessed. Apple has yet to comment on the matter.