Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

Apple was warned as long ago as 2010 that the popular Gowalla location-sharing iPhone app was uploading users’ address books without alerting them, Technology Review has learned.

This raises questions about why Apple didn’t do then what it announced it would do yesterday. In a statement, the company said software upgrades for iPhones would be issued to protect users from the practice, which is forbidden.

Apple’s statements follow a series of revelations over the past week concerning apps that access users’ address books. The revelations began when an independent developer discovered that the two-million-user-strong social network Path collects users’ address books, assembling vast collections of names, e-mails, and phone numbers without consent. Others found that some other popular apps, including the location-sharing services Foursquare and Gowalla, do the same. Transmitting and storing users’ address books exposes them to an increased risk of their personal data being leaked, perhaps through an attack like the one that extracted credit-card details from Sony last year.

The criticism that followed these discoveries—compounded by evidence that Apple ignored a warning about such behavior from academic researchers in 2010—has led to calls for the company to alter iOS and reform its famously opaque application approval process.

In the longer term, all smart-phone operating systems may need more effective privacy controls to better explain what personal data they collect, and to let users opt out. Google’s Android mobile operating system already requires apps to receive explicit permission to access contact books or other private data, but app makers do not need to explain how that information will be stored or used, and many users seem not to fully understand what they are handing over.

In 2010, graduate student Manuel Egele and colleagues at the University of California, Santa Barbara, used a tool called PiOS to scan 1,400 iPhone applications for signs that they leaked sensitive user data. PiOS flagged Gowalla’s app because it stealthily uploaded a user’s entire address book to the company’s servers when a user viewed his or her list of phone contacts through the app.

That was a clear breach of user privacy, and of Apple’s own rules for inclusion in the App Store, says Egele, now a postdoctoral researcher at UCSB. But when Apple was contacted about it, a series of representatives showed little interest, he says. “We even took screenshots that showed it was being sent unencrypted,” he says. “They said, ‘If you have a privacy concern, you should contact the developer.’ ” Egele and colleagues presented a peer-reviewed paper on the work, including an account of their Gowalla finding, last year.

Apple did not reply to inquiries about the 2010 incident. But its first public statement on the address-book saga, made yesterday, implied that it had only just become aware of the issue.

1 comment. Share your thoughts »

Credit: Technology Review

Tagged: Computing, Communications, security, privacy, geolocation, iPhone app, Apple apps

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me