Path's Privacy Breach Exposes Apple's Flawed App Approval Process

Since last week, Apple's been under fire over iPhone apps that secretly upload a user's contact list without notifying them first. What started out as a hackathon brainstorm on how to port a Path app to OS X turned into a full-on PR disaster, not just for app creators, but Apple, too. So what the hell is going on?

Like many disasters (Carrier IQ, anyone?), a developer named Arun Thampi was the first to discover that Path's iOS app was uploading his "entire address book (including full names, emails and phone numbers)" to Path's servers without his permission. The Path app never asked Thampi if uploading his contacts' info was okay.

As the discovery went viral, Path's co-founder and CEO Dave Morin quickly responded to the ruckus with a comment on Thampi's site:

"We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and efficiently as well as to notify them when friends and family join Path. Nothing more.

"We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval."

To Path's credit, the company went another step further (amid the rising controversy, of course), posting an apology on the company blog pledging to remove the data:

"So, as a clear signal of our commitment to your privacy, we've deleted the entire collection of user uploaded contact information from our servers. Your trust matters to us and we want you to feel completely in control of your information on Path."

Turns out Path isn't the only perpetrator. In fact, it's also been discovered by The Verge that other apps including Twitter, Facebook, Instragram, Foursquare and Yelp, to name a few, all commit similar offenses.

Path's swift release of an updated app should have silenced naysayers, but it didn't, because the entire privacy problem stems from Apple's iOS App Guidelines.

As a letter from government points out, Apple's iOS App Guidelines policy "requires all apps to get a user's permission before 'transmitting data about a user.'"

So how did Path's erroneous app even make it through the great Apple approval firewall? Good question. We don't have an answer to that, yet.

In typical fashion, Apple short and succinct response lacks any real detail (via AllThingsD):

"Apps that collect or transmit a user's contact data without their prior permission are in violation of our guidelines*," Apple spokesman Tom Neumayr told AllThingsD. "We're working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release."

Path's privacy breach revelation was a wakeup call for the entire tech industry. Transparency is important, even if nobody reads EULAs all the way through. Users have a right to know how their information is being used, especially if they contain private phone numbers, email addresses and other sensitive data.

The question now is, how many other apps are in violation of the iOS App Guidelines? Is Apple going to assemble a team of ninjas to check all of its 500,000+ apps in the App Store for violations? That would be a huge mountain to climb, even for a powerful company like Apple.

For the latest tech stories, follow DVICE on Twitter
at @dvice or find us on Facebook
Contact Us