I wrote a little MobileSubstrate (Jailbroken iPhone) shim to intercept the most common API used to access this data, block its use, and alert the user when it's happening.
It should be available in the BigBoss repository as "Address Book Privacy" sometime tomorrow.
My tweak catches and displays the use of address book data as it happens, and based on my observations I think the Hipster version of address book theft is a lot less egregious than the Path one. Hipster accesses your address book only when you ask it to "Find Friends" - "Contacts" is selected by default. While this certainly shouldn't be the case, it's nowhere near as bad as Path, which sends all your contacts without asking every time you log in (along with again if you select "Find Friends").
ABAddressBookCopyArrayOfAllPeople is implemented as a direct branch to ABCCopyArrayOfAllPeople. Right after that are the ABAddressBookGetPersonWithRecordID and ABAddressBookGetPersonCountShowingLinks functions and they will be wiped out by the closure generated by MSHookFunction. The proper function to hook is ABCCopyArrayOfAllPeopleInSourceWithSortOrdering. See my similar package for an example: https://github.com/rpetrich/ContactPrivacy
This version is substantially better than mine - in addition to the correct hook mentioned in the parent comment, ryanpetrich's code uses a private CoreFoundation API rather than UIAlert which is both safe to access from non-main threads and blocking, making the tweak both simpler (no dispatch or blocks) and allowing it to pop up a "yes/no" dialog.
I've updated the README in my GitHub repo to point here and I'm considering ContactPrivacy a better replacement for AddressBookPrivacy at this time.
Here's to hoping Apple does something like this in a future release of iOS.
Random observation from reading the source: your tweak is going to cause issues (possibly crashes) if the application is accessing the address book on a non-main thread. You should dispatch_async() that alert over to the main thread.
It actually just causes CoreAnimation fence issues and messy animations as far as I can tell, but you're entirely right. Fixing in my next commit (which also fixes some other brokenness). Even had a note in the TODO about it.
This is the first time I've used MobileSubstrate and Logos, so I'm having a lot of fun :)
You may only be seeing CoreAnimation fencing issues, but the fact is, you're accessing main-thread-only classes from a background thread, and it has the potential to corrupt data structures which can lead to crashes and other bad behavior.
This is an awesome little tweak.
I'm really glad to see more competent people using Theos and Logos to implement useful things!
I've got one minor nit to pick, and that's that you're using Logos, but only for its %ctor directive! Not that that's a bad thing, it gets more language coverage!
You could possibly extend this to hook those parts of those apps individually or on a case-by-case basis, and present a different/better UI for them in particular.
Great to hear you like the tweak. Theos and Logos made the whole process a lot easier, so thank you!
I plan to use Logos to add a delegate class for the UIAlert such that I can pop up an "allow/deny" dialog, to start, and then to move on to a more full-featured preference system. I'm just thinking about how to block the thread requesting the address book information while I wait for the user to dismiss the alert.
I've been poking around at various Logos + Theos projects on GitHub and I'm impressed at what a little Perl magic can do - I'm definitely excited to dive deeper as I add features.
Hipster doesn't leak as much information, but it is almost just as persistent. You can uncheck the "Contacts" button when you enter that preference, but only after the app sends your data. Also, if you come back to the screen, it reverts to checked. They are really filter buttons, and not stateful, apparently.
Jailbreaking means so many different things to different people. I know it causes issues with Apple-sanctioned updates, but sometimes those issues are just plain worth it.
All the stability issues, all the battery life issues, and all of the downsides apart from a more complicated update process are first and foremost effectively made-up. There's no solid data to back those things.
Jailbreaking has time and time again patched vulnerabilities that Apple didn't (in a timely manner), and proven that it is a valuable part of the ecosystem.
Nice work! However, you seemed to have forgotten to add theos as a submodule. Without it, people cannot build this on their own if they chose to do so..
Users have to manually download ldid only because I aspire to keep Theos a binary-free distribution: it's totally cross-platform where you have GNU make and bash (and, for Logos, perl).
Surprise! Likewise, Instagram uploads your contact list to their servers (phone numbers, names, emails) to help find friends (confirmed with mitmproxy as well). At least you have to click "Find from my contact list" first.
This practice is super-common. The last ordeal around this was a year or so ago with Kik, but then everyone stopped caring. At least Instagram is over https.
Uh, if they do it after clicking "Find from my contact list", this is totally different, that's opt-in. I do think it should be possible to opt-out from being findable this way, but that's a separate, if related issue.
There is also a difference between "uploads" and "sends".
If they send my address book to their servers, compare it with current users and then discard it that is pretty good for an opt-in process.
A lot of this seems to be they upload the address book to their servers and store it permanently. The fact that they don't state this and don't ask for permission is disturbing.
Right. Kik did it without having an opt-out. At least Instagram does it after you tell it to. Path and Hipster? They just do it. Hipster, to a lesser degree.
Surprise! Apple doesn't give a shit that this is happening. If they didn't want developers to have the data, they wouldn't have made the API public. Apple even touts this as a feature in their public-facing developer site!
"iOS apps even have access to a device’s global data such as contacts in the Address Book, and photos in the Photo Library"
This is in no way a failure of the App Review process. This is a failure in the way Apple expects user data to be treated. Lots of developers do this. The only way to stop this is a change in Apple policy, end of story.
This seems like a serious policy 'bug' indeed. The app developers have their part of the fault, but if someone just gives you free stuff, why not just take it.
I've bitched about how restrictive Apple is with the App Store plenty, but that ship has sailed a long time ago. But once you decided to have a restrictive app store and declare to provide "freedom from programs that steal your private data" (http://gawker.com/5539717/), be the best damn restrictive app store you can be and actually provide freedom from programs that steal your private data. Apple has inserted themselves as necessary component in the developer-customer relationship of iOS (and even declared privacy as one of the reasons why they are necessary), so they damn well should take some blame here.
Yes, or at least not allow open APIs that make it so simple. What else is the point of a walled garden? They're able to make sure all their other arcane rules are followed (like Amazon linking to their web store), they should be able to keep data safe.
It would be absolutely trivial for Apple to flag apps which use the Address Book APIs for closer inspection (including making sure that the user has to opt in to have their Address Book sent anywhere) - the same Apple tool which detects access to unauthorized ("private") Objective-C APIs could just as easily flag access to the AddressBook framework.
As an iOS developer, I've been surprised all along that the SDK gives you full access to the address book without asking for permission (like Core Location and the Apple Push Notification Service). I've always thought that would one day change, and I suspect that posts like this and the one about Path will make that happen.
I'm also an iOS developer although I've never needed to use the Address Book API's. I always presumed that some sort of permission was required I'm really surprised it isn't. I actually think this is a bigger privacy concern than location access as not only are you giving away access to your contact details but everyone who has trusted you with theirs.
I can see a good argument in favour of it - of _course_ I want non-apple apps to be able to autocomplete friends names/emails as I start typing them. And of _course_ apps need to be able to send a bunch of data "back home". Making sure that apps don't send the addressbook data from sentence 1 in a data block from sentence 2 is the problem...
iOS could prompt the user for permission when the contact list is accessed, with temporarily/permanently allow/deny options. If the user says yes, the app gets access, if the user says no, the app gets "spoofed" access, to an empty contact list.
Making a prediction:
When you wake up tomorrow morning, the front page will be filled with stories like these about every type of app you can think of. It will only get worse from here.
Worse is an interesting choice of words .... if a bunch of companies get shamed into respecting people's privacy then that's great, and if it gets the ball rolling and triggers the wrath of app stores ... that's even better.
If companies could get shamed into doing anything, the world would be a different place. But to a company there is no such thing as shame, there is only the fear that public reaction will negatively impact their bottom line.
I have little doubt. My only question/interest is - what is the most high-profile and also the most odd-ball app/company that will be found to have done this.
I am thinking of precise reasons why these services want the e-mail addresses in the first place. Is it to create a social network graph of the email addresses? Does this mean that all of these small services have a social graph? That doesn't seem so bad given that most people have already given that to one very large institution.
Ah. right. Probably shows I'm still practicing abstinence i.e. no smart phone with 3G plan yet. Still seems its a lot less to be concerned about in comparison to what other organizations own. I suppose the sneaky under the hood part is what's jarring.
Hashing doesn't really solve the entire problem, though it does prevent the service from getting addresses it doesn't already know. Allowing an app to see your contact list is an act of faith.
This isn't new or surprising. Working as an iPhone contractor you get asked to do this sort of stuff all the time. Companies that give something away for free want your data. Simple.
If someone was going to audit all the popular social apps in the app store I'm sure that the vast majority would behave in exactly the same way.
I am normally careful to check permissions, but foolishly installed Skype app (I think Skype uploads complete phone address book when first run).
And I wonder how many PhoneGap based applications (iPhone or Android) have XSS flaws that a hacker can springboard to snarf the local address book???!!!
to <MYNAME>
Right, yes, we do send info to the server but do not save anything. All foursquare pages are encrypted as of April 6.
<MYNAME> ✆ via gmail.com
20/07/2011
to <FOURSQUARE-SUPPORT>
It's nice to know your pages are encrypted, but my question relates to when you sent all my contacts to your server from your mobile app. Did it use an encrypted connection to do this?
to <MYNAME>
yes, any information sent via any foursquare page, mobile or otherwise, is encrypted.
-------------------------------------------------------------------------------------------------------------------
<MYNAME> ✆ via gmail.com
20/07/2011
to <FOURSQUARE-SUPPORT>
Thanks for the confirmation.
One final thing - it would be polite for your app to request permission before scanning my phone and uploading all my contacts to your server. Please consider it a complaint that it did not ask permission.
to <MYNAME>
We totally agree! When you download foursquare, we list the permissions that you are giving us, including scanning your contacts list (which we do not save or store). See here: http://cl.ly/18433L2s3g1T13070y0X.
-------------------------------------------------------------------------------------------------------------------
<MYNAME> ✆ via gmail.com
21/07/2011
to <FOURSQUARE-SUPPORT>
We don't agree.
It is not made clear that you are going to scan for my contacts and upload them.
You should explicitly make me aware and ask for permission in advance of doing that.
Furthermore, your tone and wilfully ignoring my legitimate complaint is annoying.
to <MYNAME>
<MYNAME>,
I'm sorry you feel that way! I have spent time talking to four different engineers (two server engineers about what info is stored and how information is transferred, and two Android developers) about your questions out of respect and concern for you as a user with a valid query. I take all user questions and concerns seriously and as a member of the Product team, pass on this sort of complaint so that we can be sensitive to that fact that if one person is asking/upset about something, there are probably others. Sorry if I did not do a good job of conveying the way I run community and support for foursquare in my tone. Sometimes email is hard in that sense. I hope you know that we care and appreciate your emails.
to <MYNAME>
Also, since we don't save your contacts in anyway, I'm not sure that we are actually "uploading" them. Is there something else that is bothering you? Perhaps I'm not understanding your concern completely--we aren't telling your contacts that you are using foursquare nor are we automatically adding them as your friends, we're merely searching your phone's contacts for other people you know who are also using foursquare so that you can then decide which of those you'd like to send a friend request to. Can you please let me know what part of this you find troubling so I can pass on your concerns? Thank you!
<MYNAME> ✆ via gmail.com
21/07/2011
to <FOURSQUARE-SUPPORT>
Uploading means essentially the same thing as sending for the purposes of this complaint.
uploading: present participle of up·load
Verb: Transfer (data) to a larger computer system.
As for my concern, I can only repeat myself. It is disappointing that you don't immediately understand why this is a problem.
Stop being such a zuck[1], calling security-consciouness "neckbearding".
[1] A zuck: someone who, due to a combination of ignorance and malice, is dismissive of others' efforts to improve their security and protect their privacy.
I believe the “neckbearding” referred to berating this poor support staffer for his/her lack of technical expertise. The guy/gal was pretty clearly doing the best he/she could, and the responses from the “security conscious” user could have conveyed the same message with a lot less condescension.
OK seriously that was some of the best support responses to a customer complaint I've read in a LONG time. The support person was super friendly, spoke to several devs internally to get a good resolution, and really tried their best to help this annoyingly persistent customer with their complaint. Calling them names is totally uncalled for here in my view.
From my perspective, after reading the above conversation, FourSquare provided a good level of support, and you were a rude and unnecessarily confrontational user.
The Foursquare app says that is wants the ability to access your address book and you gave it permission to do this by installing it.
You then press the "find my friends" button and are surprised by the fact that it sends information about your friends to Foursquare?
The only valid complaint you could have is if they stored the information on their server permanently but based on this conversation they don't which is the best procedure.
The second you click "find my friends" you've opted into this. How the hell do you think they are finding out who your friends are? Magic?
There is a fine line between annoying the user and doing things without their permission and in this scenario Foursquare is better than the majority of other applications out there.
" Furthermore, your tone and wilfully ignoring my legitimate complaint is annoying. "
It is standard customer service industry faux-friendliness/faux-compassion. It is infuriating but I guess it works on the idiot majority of customers because most companies talk this way
Why would you not use HTTPS? At minimum? It doesn't take a genius to figure out how to launch a man in the middle attack and watch traffic from these devices. I'm actually surprised someone hasn't created a tool that just sniffs requests from apps, whilst stripping out important information.
I do not understand why anyone is complaining about anything other than perhaps Apple's choice to make this an app-level permission rather than a "one-off" permission.
If apps spelled everything they were doing out for you all as you seem to want, you'd have something equivalent to a TOS to read. Only instead of legal jargon it would be technical jargon. You'd never read it. And then when it came out that the app was doing something that was described in it, you'd bitch and moan and complain just like you are doing now.
I would venture to guess that a large majority of apps in the app store (iOS and Android) do the same thing Hipster, Path and other mentioned in this thread do and you don't even know. I don't even what to know what Google and Apple themselves are doing without telling anyone.
What a stupid response. I'm not a huge privacy advocate but this is a massive breach of trust/privacy. Not only are apps taking your personal contact information but the contact information of everyone you have in your address book. So regardless of your stance on privacy, the privacy of all of your contacts is also at stake.
If I thought these companies were going to do something malicious with the data then it would be an issue. These companies aren't spammers. They aren't criminals. They don't plan to do anything malicious with the data. Your privacy, my privacy or any of my contacts privacy isn't at risk. It's not at risk but I don't think someone at Hipster is going through the data and using it in any way.
I'll accept the point that maybe hipster or path are not (yet) sifting through the data they obtained, however, sometimes startups go bankrupt and someone buys whatever assets are left over. Address data may get sold to a buyer with a different view of privacy. Servers may get hacked and data gets lost. Keep in mind that if you're using hipster/path you're not only risking your data but also the private data of anyone you have in your address book. It's one thing if friends of mine decide that they hand out their phone number, it's another thing if they decide to hand out mine.
hey may not be using it maliciously (I don't think they are either) but they should be handling our data more carefully. And it's possible that they may use this data in the future.
The part you should be worried about is the fact that they are taking the contact info of your friends and family. People who trusted you enough to give you their data. You/we the users should not get to make the judgement call as to whether or not we are going to give their data up.
https://github.com/bri3d/AddressBookPrivacy/downloads
It should be available in the BigBoss repository as "Address Book Privacy" sometime tomorrow.
My tweak catches and displays the use of address book data as it happens, and based on my observations I think the Hipster version of address book theft is a lot less egregious than the Path one. Hipster accesses your address book only when you ask it to "Find Friends" - "Contacts" is selected by default. While this certainly shouldn't be the case, it's nowhere near as bad as Path, which sends all your contacts without asking every time you log in (along with again if you select "Find Friends").