Apple will update iOS to require user permission for apps to access contact data
Apple on Wednesday announced a future update to iOS will restrict App Store software from accessing a user's address book without their permission.
"Apps that collect or transmit a user's contact data without their prior permission are in violation of our guidelines," Apple spokesman Tom Neumayr said in a statement to AllThingsD. "We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release."
The official statement came quickly after two U.S. congressmen sent a letter to Apple Chief Executive Tim Cook, asking for more information about Apple's security and privacy policies on the iPhone. The controversy stems from an iPhone social networking application, "Path," which was discovered to be uploading users' address book data to the company's servers without user authorization.
For its part, Path issued an apology and gave users the option to opt out, stating that the data was being used to streamline the application's "Add Friends" feature. But Apple, in its official comment on Wednesday, made it clear that the actions taken by Path are in violation of its iOS developer guidelines.
Reps. G.K. Butterfield (D-N.C.) and Henry A. Waxman (D-Calif.) issued the letter to Cook on Wednesday, questioning whether Apple's iOS application developer policies and practices adequately protect consumer privacy. Apple's official response came mere hours after the letter was made public.
The events share some similarities with last year's location database controversy, in which members of the U.S. government demanded answers from Apple about a file found hidden in the iPhone operating system that kept an extensive log of location data. Apple said the crowd-sourced data, which represented cellular towers and Wi-Fi hotspots pinged by the iPhone, was intended to give users faster response times when using location-based services.
That controversy quickly became a non-issue when Apple issued an iOS software update, which reduced the size and scope of the database file, and gave users the ability to delete it by turning off location services on their iPhone.
[ View article on AppleInsider ]
Comments
this is awesome!
It's about bloody time as this issue has been in the media for several minutes now¡
Getting ever closer to Android's permission-based app model. . .
The events share some similarities with last year's location database controversy, in which members of the U.S. government demanded answers from Apple about a file found hidden in the iPhone operating system that kept an extensive log of location data. Apple said the crowd-sourced data, which represented cellular towers and Wi-Fi hotspots pinged by the iPhone, was intended to give users faster response times when using location-based services.
I really don't think it has many similarities at all. The prior issue was simply a file on your phone that was storing location data, I don't think third parties really had access to it. This is all your contact information loaded onto a third party server without your permission.
See? Problem solved simply enough.
You all have me to thank for this.
when the path debacle arose, my first thought is that software companies should allow their users to 'opt-in' when they want to harvest information, rather than the opposite.
this is awesome!
While this is good news it's plugging a small leak in a dam while the water gushes from many other places. Many sync their address books between Mac and Windows with every app we install having access to our data.
Getting ever closer to Android's permission-based app model. . .
You mean going backwards? Because having a list over 20 items an app may access that appears when you install the app isn't sensible and therefore isn't security. While you may take heed that a wallpaper app is trying to get access to your contacts most people just click through confusing and technical lists.
I really don't think it has many similarities at all. The prior issue was simply a file on your phone that was storing location data, I don't think third parties really had access to it. This is all your contact information loaded onto a third party server without your permission.
To be fair, you're supposed to read the article and at least think it's pretty much the same as last year's location issue.
The classy way to do it would be on an "opt in" basis.
You all have me to thank for this.
Getting ever closer to Android's permission-based app model. . .
Yeah, Apple needs to figure out what can be vetted during the app approval process and what needs to be enforced at runtime. Some other abuse prone areas are unrestricted network/internet access, unlimited flash storage, and full read access to the iPod library.
You mean going backwards? Because having a list over 20 items an app may access that appears when you install the app isn't sensible and therefore isn't security.
While you may take heed that a wallpaper app is trying to get access to your contacts most people just click through confusing and technical lists.
Going backwards
Did Apple require user-specific permissions at some earlier point? I don't see how it's a bad thing, and if so why Apple is requiring both location and contacts harvesting to be user-authorized now.
Apple on Wednesday announced a future update to iOS will restrict App Store software from accessing a user's address book without their permission.
"Apps that collect or transmit a user's contact data without their prior permission are in violation of our guidelines," Apple spokesman Tom Neumayr said ...
So the closed-garden control of the App Store doesn't always work, after all?
Getting ever closer to Android's permission-based app model. . .
What are you talking about? Apple invented the permission-based app model. Or perfected it. Or made it popular. Or... forget it, Apple is making billions from the permission-based app model like it's nobody's business! /s
...
You mean going backwards? Because having a list over 20 items an app may access that appears when you install the app isn't sensible and therefore isn't security...
Every educated Android user knows better than to install any app offering this laundry list of permission, unless it comes from a very respectable source with legitimate reasons for the requests. Don't worry, you'll learn to use it as Apple improves iOS.
Going backwards
Did Apple require user-specific permissions at some earlier point? I don't see how it's a bad thing, and if so why Apple is requiring both location and contacts harvesting to be user-authorized now.
Security that isn't used is no security at all. For example, let's say MS updates Windows log-in permissions so that you either have the choice of using only a randomized alphanumeric password or no password at all. Users will go for no password because the security, even though much higher security than there previous passworded option, is now too complex to bother with. That screenshot shows what is wrong with Android's system and it only show 1/4 of the potential permissions.
So the closed-garden control of the App Store doesn't always work, after all?
What are you talking about? Apple invented the permission-based app model. Or perfected it. Or made it popular. Or... forget it, Apple is making billions from the permission-based app model like it's nobody's business! /s
Every educated Android user knows better than to install any app offering this laundry list of permission, unless it comes from a very respectable source with legitimate reasons for the requests. Don't worry, you'll learn to use it as Apple improves iOS.
no they don't.. especially when you consider that educated android user does not exist. they use android without knowing what android is. to put it simply, they buy the only available 200 dollar smartphone that isn't nokia and that's it.
It's a bad thing to offer advertise a security that isn't used because it's not designed to inform the average in a way that is useful to them. For example, let's say MS updates Windows log-in permissions so that you either have the choice of using only a randomized alphanumeric password or no password at all. Users will go for no password because the security, even though much higher security than there previous passworded option, is now too complex to bother with. That screenshot shows what is wrong with Android's system and it only show 1/4 of the potential permissions.
A quarter of them? I can't imagine what the other 21 would be.
I see these listed:
~Services that cost you Money (that a good one to know about, don't you think?)
~Storage - You already showed this one
~Your Personal Information - You showed that one too, and Apple agrees with getting your permission
~Phone call - Yup, that's in your screenshot
~Location - Another I think you should know about, and so does Apple
~Network Communication - In your screenshot and something you better know about.
~System tools - Again in your list
~Hardware controls - Not of much use IMO, unless you're worried why a kid's game wants to turn on the camera.
~Your Accounts ~ Another permission that's not really useful IMO.
Let's see. I count 9
no they don't.. especially when you consider that educated android user does not exist. they use android without knowing what android is. to put it simply, they buy the only available 200 dollar smartphone that isn't nokia and that's it.
Don't let yourself be trolled, buddy.
when the path debacle arose, my first thought is that software companies should allow their users to 'opt-in' when they want to harvest information, rather than the opposite.
!
That was the policy, but Path showed Apple that they can't trust developers to do it on their own so now it will be forced on them by the OS