Path iOS app uploads address book to its servers
When analysing the Path app for iOS – the mobile application for the photo sharing and messaging service – Singapore-based software developer Arun Thamp discovered an API call that uploads a user's address book without first requesting permission to do so. Thamp used mitmproxy to analyse what traffic was being created by the app and found that an API call, specifically a
POST request to https://api.path.com/3/contacts/add, sends the entire address book, including full names, email addresses and phone numbers, over HTTPS to the Path servers as an unencrypted plist file.
In a comment on Thamp's blog post, Path CEO Dave Morin acknowledged the issue and said that the company takes it "very seriously". According to Morin, the address book is uploaded to its servers "in order to help the user find and connect to their friends and family on Path quickly and efficiently as well as to notify them when friends and family join Path. Nothing more."
However, he goes on to note that the company will be switching to an opt-in policy for its iOS clients, meaning that users will first have to allow the app to send the data; the Path app for Android, says Morin, switched to opt-in "a few weeks ago". Version 2.0.6 of the iOS app includes this change and is now pending approval by Apple; the current version available from the Apple's App Store, Path 2.0.5, and previous versions are reportedly affected. In comments to Thamp's posting, it was suggested that email address and phone information be hashed before uploading to the service, a suggestion which Morin called a good alternative solution which the company would look into.