App Developers Apologise For Sharing Users’ Address Books

iPhone apps Hipster and Path move to fix security flaw, with a summit planned to discuss a ‘privacy pledge’

Path and Hipster, developers of iPhone applications,  have apologised for uploading users’ address book data without asking for their permission.

Both have now released updates to rectify the security flaws and have pledged to review how they handle information, amid fears that the cases may not be isolated.

Path to controversy

Path, a social media application, sent contact data to its servers to assist users to find friends who were also using the application.

“We made a mistake,” said Path CEO David Morin in a blog post. Over the last couple of days users brought to light an issue concerning how we handle your personal information on Path, specifically the transmission and storage of your phone contacts.”

“We take the storage and transmission of your personal information very, very seriously,” he added. “We are deeply sorry if you were uncomfortable with how our application used your phone contacts.”

Morin said that Path had deleted the entire collection of user-uploaded contact information in its servers and had released an update to solve the problem:

“In Path 2.0.6, released to the App Store today, you are prompted to opt in or out of sharing your phone’s contacts with our servers in order to find your friends and family on Path,” he commented. “If you accept and later decide you would like to revoke this access, please send an email to service@path.com and we will promptly  see to it that your contact information is removed.”

Not so hip

Hipster, an imaging app that styles photos into postcards, was also found to be uploasding information without consent.

“We blew it, we’re sorry, and we’re going to make it right,” said Hipster CEO Doug Ludlow, who promised to release an update to the App Store that makes sharing optional.

He also invited other developers to attend an “Application Privacy Summit” at its San Francisco-based headquarters on 17 February.

“The goal of the summit to be to come up with a ‘privacy pledge’ – one that can be adopted by all apps, detailing for users what types of privacy expectations they should have,” Ludlow declared. “Applications will be able to boast that they have agreed to the privacy pledge, which should help give their users sense of mind regarding their personal data.”

Over one hundred million apps were downloaded from the App Store last year, but tests have shown that more than three quarters of mobile applications fail to store user account names securely.  However the security threat is far more serious on Android than iOS, with Google recently introducing an automated scanning service called Bouncer which monitors the Android Market for potentially malicious apps.