After the scandal broke of how the iPhone app “Path” was accessing users’ address books and transmitting them back to base, many in the developer community said they thought this was pretty common. The good folks over at Veracode decided to check, so they built another app that simply scans all code on your device for signs that the address book is being accessed. Believe it or not, the Apple operating system has a standard call, available to every app, called “ABAddressBookCopyArrayOfAllPeople”.
Mark Kriegsman at Veracode blogged about their results :
Talking to the Veracode Research team about this iOS address book madness, the consensus was that none of this should come to a surprise to anyone who’s been following mobile development or security research for mobile platforms (emphasis added).
This is terrific work.
Despite the Veracode team’s reaction, I’m sure most of the public – even the technologically informed public – would indeed be very surprised to know any old app can freely access their contact lists. If developers are not surprised, perhaps they look at privacy differently?
What probably will surprise many technologists is that under black letter privacy law in Australia, Europe and elsewhere, it would be an offence for the company deploying the app to access contact information on a phone without a good reason and/or user consent (let alone to do it without any notice at all as was the case with Path). As Kriegsman writes in the Veracode article, it’s hard to imagine why many of these apps have any cause to call ABAddressBookCopyArrayOfAllPeople.
Developers sometimes seem to think that if information is accessible to them, then it’s fair game for re-use or innocant “research”. The classic example was the collection of wifi transmissions by Google Street View cars. Many said at the time that if data is in the “public domain” then it’s free to be collected and used. And they were very surprised indeed to learn that their presumption is simply wrong at law. Many privacy laws are generally blind to where Personally Identifiable Information is collected. If information is identifiable, and if you have no business collecting it, then you’re not allowed to. It’s black and white.