Path iPhone App Uploads Your Entire Address Book to Its Servers

If you’re one of the 2 million users of Path – the personal life-sharing service, you might want to read this.

Singapore based developer and blogger Arun Thampi has discovered that Path’s slick iPhone app uploads your entire address book to its servers while he was trying to hack it to implement a Path Mac OS X app.

Thampi writes an account on how he discovered what appears to be a major privacy issue on his blog:

It all started innocently enough. I was thinking of implementing a Path Mac OS X app as part of our regularly scheduled hackathon. Using the awesome mitmproxy tool which was featured on the front page of Hacker News yesterday, I started to observe the various API calls made to Path’s servers from the iPhone app. It all seemed harmless enough until I observed a POST request to https://api.path.com/3/contacts/add.

Upon inspecting closer, I noticed that my entire address book (including full names, emails and phone numbers) was being sent as a plist to Path. Now I don’t remember having given permission to Path to access my address book and send its contents to its servers, so I created a completely new “Path” and repeated the experiment and I got the same result – my address book was in Path’s hands.

Path’s CEO and co-founder Dave Morin tried to address the concern raised by Thampi in the comments section, which has now also been updated in the blog post by Thampi.

Arun, thanks for pointing this out. We actually think this is an important conversation and take this very seriously. We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path. Nothing more.

We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.

The major concern here is that the entire address book is being uploaded to Path’s servers without informing or taking an authorization from users.

As The Next Web points out that apps that typically use the address book, hash the data and save only the checksum rather than saving the entire data in plain text format on the servers. Morin has said that they would look at implementing the hashing procedure as that’s the industry best practice.

If you’re really spooked by this revelation then you can send a email to service@path.com and request them to delete your address book account from their servers.

We feel that though it was poor decision on Path’s part not to have the opt-in and the hashing procedure in place from the beginning, they have been extremely proactive and honest in dealing with the situation. It’s a young company and we’re sure  that this incident will put privacy on the top of their priority list when they decide on which new features should be rolled out next.

It remains to be seen if their users will give them a second chance (third chance in case of users who used their initial version, which did not take off).

[via Arun Thampi's blog]

Like this post? Share it!

Categories: iPhone Apps

Related
  • iOS5

    Bama..

  • http://www.motorbeam.com/ fas

    THey will think of implementing, they already should..!

  • http://www.uselessdesires.co.uk Ryan

    I emailed Path, insisting the remove all harvested data and delete my account (not simply deactivate it). This is what they had to say:


    Hi Ryan,

    Thank you for getting in touch with us. We want you to know that you have been heard and as a result, as of today, we’ve deleted the entire collection of user uploaded contact information from our servers.

    In addition, I have marked your account for permanent deletion. This means that your account can never be reactivated. I’ll be sure to follow up with you as soon as this is completed.

    On behalf of the team, I’d like to apologize for any privacy concerns that you may have had. Our intent in accessing this information was to make it easier for you to find your family and friends on Path. Our newest release of Path (2.0.6), prompts users with the option of allowing or denying Path access their contacts. We care deeply about our users and their sense of security and control over their personal information, and through our actions we aim to uphold this sentiment.

    Please let me know if there is anything else I can do to help you. I’m more than happy to address any further questions or concerns that you may have.

    All the best,
    Zack

    Their speed of response was impressive, as was their cooperation in meeting all my requests. We’ll see what happens

    Ryan
    @rycariad on Twitter