AdiOS Finds iOS Apps Capable of Dumping Users' Contacts

ID THREATPOST:0ACA5145082E985145959E038DE91B03
Type threatpost
Reporter Dennis Fisher
Modified 2013-04-17T16:32:47


iPhone addressesIt’s gotten to the point now where it’s almost easier to talk about the mobile apps and services that don’t ship your personal data off to some remote server for purposes unknown rather than discussing the ones that do. The latest discussion of privacy invading apps flowed from the discovery that Twitter and some other iPhone apps were uploading users’ contact lists without their knowledge. Now, a researcher at Veracode has written a small app that allows users to figure out exactly which iOS apps are doing what with their personal data.

Mark Kriegsman of Veracode wrote an app called AdiOS that audits all of the iOS apps on a given machine and looks at whether they use a specific call that can be used to dump the user’s iPhone address book. Apps that use the specific API call would have the ability to dump the user’s address book, but that doesn’t necessarily mean that it does so. In a quick run of the app through the iOS apps on his machine, Kriegsman said he found that 50 of the 450 apps he had installed used that API call.

“That by itself doesn’t mean the app is transmitting any data, or doing so behind your back, but it does raise questions. Angry Birds does it. Citibank does it. Several Google apps do it. A number of lesser-known games do it, too. Why do all of these apps need to dump my entire address book? The quantity of apps with this ability really caught us off guard,” he wrote in a blog post on the topic.

“Most apps that have email functionality (e.g. “send this to a friend”) wouldn’t ever need to useABAddressBookCopyArrayOfAllPeople. They could just use the standard view controller for contact info, the ABPeoplePickerNavigationController. If they wanted a custom UI for the picker, then they have no choice but to dump the address book.”

As Kriegsman points out in his post, none of this should come as a surprise to anyone who has followed the evolution of mobile app behavior and capabilities in the last couple of years. The revelation that the Twitter iPhone app was sending users’ contact lists off to parts unknown without users’ knowledge is just the latest bit of evidence that apps are doing all kinds of interesting things that users aren’t aware of.

The Twitter app for iOS has a feature that enables users to scan their phones for contacts whom they’d like to add to their Twitter contacts. Once the scan is done, Twitter then keeps the list of contacts for 18 months. That behavior isn’t explicitly explained to users and Twitter officials said they’d be changing that language.

A similar controversy erupted recently when researchers discovered that an app called Path was silently uploading users’ contacts in order to find friends, as well. The company eventually apologized and pushed out a new version of the app that changed that behavior.

“We made a mistake. Over the last couple of days users brought to light an issue concerning how we handle your personal information on Path, specifically the transmission and storage of your phone contacts,” Path CEO Dave Morin wrote in a blog post. “Through the feedback we’ve received from all of you, we now understand that the way we had designed our ‘Add Friends’ feature was wrong. We are deeply sorry if you were uncomfortable with how our application used your phone contacts.”