Path Isn’t Only App to Upload, Store Address Book Data

Path, the mobile social network that recently caught some flack for uploading users’ address books to its servers without explicitly asking for permission to do so isn’t the only mobile app that pinches data from users’ address books.

Apps from Facebook, Twitter, Instagram, Foursquare, Foodspotting and Yelp upload names, e-mail addresses and/or phone numbers from users’ address books to their servers, sometimes without explicit permission, according to VentureBeat.

The apps mostly upload the information to match phone numbers or e-mail addresses in the companies’ database. The apps are trying to see whether your friends have accounts on their services, so that you can all connect and share every detail of your waking lives.

Some of the apps — such as Foodspotting and Yelp — claim that they do not store the data they upload. However, as VentureBeat points out, this is somewhat of a moot point if the apps do not transmit your data safely. Foodspotting reportedly transfers your data over an unencrypted HTTP connection in plain text, which means that people can easily intercept the data even if it isn’t stored.

Other apps do ask for permission, but don’t tell you that they’re uploading your address book to their server and storing it. According to the Los Angeles Times, Twitter uploads your entire address book and stores the data on its servers for 18 months. Twitter’s current privacy policy does not explicitly disclose that Twitter does this. However, it does state that some categories of “Log Data” are stored for up to 18 months.

Since the Path fiasco, Instagram and Foursquare have added extra dialogue screens that explain what the apps are doing when they access the address book.

“In order to find your friends, we need to send address book information to Instagram’s servers using a secure connection,” Instagram’s permission screen reads.

Foursquare’s is similar, but more explicit: “To find your friends, we send your address book information to our servers. Don’t worry, it’s sent securely and we don’t store it!”

Designer Dustin Curtis reports that he did a quick survey of 15 developers of popular iOS apps, and “13 of them told me they have a contacts database with millions of records. One company’s database has Mark Zuckerberg’s cellphone number, Larry Ellison’s home phone number, and Bill Gates’ cellphone number.”

In a post-Path-fiasco blog post, Instapaper creator Marco Arment reveals how Instapaper uses user address book info — and just how easy it is to grab said info.

“When implementing these features, I felt like iOS had given me far too much access to Address Book without forcing a user prompt,” Arment writes. “It felt a bit dirty.”

According to Arment, Apple should change the Address Book API to require user permission first.

“I don’t care how many applications break as a result,” Arment writes. “Not requiring user permission to date should be treated as a security hole and patched promptly.”

Follow Sarah on Twitter, Facebook, or Google+.