The makers of two iPhone apps have apologised after it emerged they had uploaded users address-book information without explicit permission.
Path and Hipster both sent contact data to company servers in order to help users find friends who were also using the apps.
Both companies said they had now updated their apps to fix the problem.
But there is concern the practice may be more widespread. Hipster has called for a "summit" to discuss app privacy.
Path is a social media app which bills itself as "the smart journal that helps you share life with the ones you love".
Arun Thampi, a software developer, first drew attention to the issue with Path in a blog post after he discovered that his phone's address book was being sent to the company's servers without his permission.
The company has since apologised. "We made a mistake," Path chief executive David Morin said in a blog post.
"Through the feedback we've received from all of you, we now understand that the way we had designed our 'Add Friends' feature was wrong," he wrote.
According to the company, contact information was encrypted before being sent to its servers. However, Mr Morin said Path had now "deleted the entire collection of uploaded contact information from our servers".
Path updated its app with a feature which asks users whether they want the service to use personal contact list information.
Hipster howler
The discovery of the Path issue was quickly followed by news of a similar problem with Hipster.
Hipster says it allows users to "easily share where you are and what you're doing with postcards of your photos".
Like Path, the Hipster app was revealed to be uploading address book information to the company's servers without explicit permission.
"We blew it, we're sorry, and we're going to make it right," wrote contrite Hipster boss Doug Ludlow in a guest post on the blog Techcrunch.
"When we built our 'Find Friends' feature for iOS, we clearly dropped the ball when it comes to protecting our users' privacy," he added.
Hipster has, like Path, made an updated version of the app available which makes sharing contact information an opt-in.
Friend-sharing forum
Mr Ludlow invited other developers to attend an "application privacy summit" at its San Francisco headquarters.
The aim, he wrote, would be to create a "privacy pledge - one that can be adopted by all apps, detailing for users what types of privacy expectations they should have".
Both incidents have caused some to wonder whether other apps are also sharing contact information and whether Apple is doing enough to restrict the practice.
Writing in Sophos' Naked Security blog, senior security adviser Chester Wisniewski asked: "Where was Apple when the original app was released? The lengthy approval process should be looking out for its customers."
Several tech blogs also flagged up a post by blogger Dustin Curtis which claimed that "there's a quiet understanding among many iOS app developers that it's acceptable to send a user's entire address book without permission to remote servers and then store it".
Apple has not responded to BBC requests for comment.
No comments:
Post a Comment