• Categories

  • Archives

    « Home

    Update: Questions About Mobile App Security, Privacy After Path Scandal

    Last week, it was revealed that photo-sharing mobile application Path uploaded users’ entire address books without permission, and there was substantial public criticism of the company’s actions. After initially dismissing the criticisms, Path CEO Dave Morin apologized in a blog post and announced that the company had deleted the contact information uploaded to its servers and was releasing an updated version of the iPhone app to allow users to opt-in to the address-book upload.

    But the Path problem highlights general security and privacy risks with mobile applications, according to two reports from Ars Technica and the New York Times. First, the New York Times discusses the fact that some believe Silicon Valley does not pay enough attention to privacy and security issues, which can profoundly affect individuals:

    Mr. Morin seemed unconcerned about how people could be harmed by his company’s carelessness. Consider this: Amira El Ahl, a foreign journalist covering the Middle East, said bloggers in Egypt and Tunisia are often approached online by people who are state security in disguise.

    The most sought-after bounty for state officials: dissidents’ address books, to figure out who they are in cahoots with, where they live and information about their family. In some cases, this information leads to roundups and arrests.

    A person’s contacts are so sensitive that Alec Ross, a senior adviser on innovation to Secretary of State Hillary Rodham Clinton, said the State Department was supporting the development of an application that would act as a “panic button” on a smartphone, enabling people to erase all contacts with one click if they are arrested during a protest. […]

    The big deal is that privacy and security is not a big deal in Silicon Valley. While technorati tripped over themselves to congratulate Mr. Morin on finessing the bad publicity, a number of concerned engineers e-mailed me noting that the data collection was not an accident. It would have taken programmers weeks to write the code necessary to copy and organize someone’s address book. Many said Apple was at fault, too, for approving Path for its App Store when it appears to violate its rules. […]

    Lawyers I spoke with said that my address book — which contains my reporting sources at companies and in government — is protected under the First Amendment. On Path’s servers, it is frightfully open for anyone to see and use, because the company did not encrypt the data.

    Mary Landesman, a senior security researcher at Cisco, says start-ups often do not build apps with security in mind: “Attackers are like electricity; they like to follow the track of least resistance.”

    Ars Technica also considers the privacy and security risks to users of social apps, with a focus on the technical issues:

    iOS users’ address books can easily be copied by apps that call on that data, and companies that make these apps can use them for purposes you might not expect. The recent controversy over the popular social networking app Path has prompted questions about developer best practices and privacy concerns for users of these apps. Can users (particularly those using iOS devices) ever let their guard down when installing social apps? It seems the answer might be “no.” […]

    A developer source shared with us Apple’s guideline that Path seems to have violated: “Apps cannot transmit data about a user without obtaining the user’s prior permission and providing the user with access to information about how and where the data will be used”

    This policy appears to be easily circumvented, but without direct access to Apple’s review data, we can’t be certain about how many apps are currently violating these rules. After all, Apple’s guidelines and use of the address book allow third-party developers flexibility in how they handle user data. Accessing the address book itself is within the guidelines, but developers can nevertheless use this data in an inappropriate manner.

    Developer best practices are at the heart of some of the ways in which private data is being handled. Apple’s developer library shows the ease with which an app can add or remove contacts from the address book, manage groups, and also find the user who is logged into the app. In the case of Path, the whole address book was uploaded to their servers. […]

    If you’re an iOS user, does this mean that every time you install an app you should be worried about your data being copied and used in ways you’re not sure about? In essence, yes. Apple’s developer guidelines are meant to prevent these things from happening, but some developers have told Ars that in practice, it’s really up to the companies making the apps to be transparent and provide good customer service. […]

    [My Recipe Book and Simplegram app developer David Smith], who has submitted several apps through the iOS App Store, said Path’s actions were “disingenuous or negligently misinformed. The CEO of a social networking app should have a clear understanding of Apple’s privacy policy and review criteria.”

    Leave a Reply