

Hipster (like Path) uploads your address book emails to its servers - markchang
http://markchang.tumblr.com/post/17244167951/hipster-uploads-part-of-your-iphone-address-book-to-its

======
FourSquareToo
FourSquare Too.

Here was their response to my complaint.

Subject: Do you store my contacts?

\-------------------------------------------------------------------------------------------------------------------
<MYNAME> ✆ via gmail.com

17/07/2011

to privacy Hi.

I recently downloaded the Android Foursquare application. It automatically
started scanning the contacts on my phone.

Questions: 1\. Does the application upload my contacts to FourSquare?

2\. If so, does FourSquare store my contacts?

\-------------------------------------------------------------------------------------------------------------------
<FOURSQUARE-SUPPORT> ✆

18/07/2011

to <MYNAME> We do not store or upload contacts! It's a one-time search of your
phone's contacts to find friends to add on foursquare.

See more information at foursquare.com/privacy/grid and
<https://foursquare.com/legal/terms>

\-------------------------------------------------------------------------------------------------------------------
<MYNAME> ✆ via gmail.com

19/07/2011

to <FOURSQUARE-SUPPORT> Hi,

I think you must upload my contacts to your servers to identify which ones are
on foursquare.

When you upload them, do you send them in plaintext or encrypted?

\-------------------------------------------------------------------------------------------------------------------
<FOURSQUARE-SUPPORT> ✆

19/07/2011

to <MYNAME> Right, yes, we do _send_ info to the server but do not save
anything. All foursquare pages are encrypted as of April 6. <MYNAME> ✆ via
gmail.com

20/07/2011

to <FOURSQUARE-SUPPORT> It's nice to know your pages are encrypted, but my
question relates to when you sent all my contacts to your server from your
mobile app. Did it use an encrypted connection to do this?

Thanks,

\-------------------------------------------------------------------------------------------------------------------
<FOURSQUARE-SUPPORT> ✆

20/07/2011

to <MYNAME> yes, any information sent via any foursquare page, mobile or
otherwise, is encrypted.

\-------------------------------------------------------------------------------------------------------------------
<MYNAME> ✆ via gmail.com

20/07/2011

to <FOURSQUARE-SUPPORT> Thanks for the confirmation.

One final thing - it would be polite for your app to request permission before
scanning my phone and uploading all my contacts to your server. Please
consider it a complaint that it did not ask permission.

\-------------------------------------------------------------------------------------------------------------------
<FOURSQUARE-SUPPORT> ✆

20/07/2011

to <MYNAME> We totally agree! When you download foursquare, we list the
permissions that you are giving us, including scanning your contacts list
(which we do not save or store). See here:
<http://cl.ly/18433L2s3g1T13070y0X>.

\-------------------------------------------------------------------------------------------------------------------
<MYNAME> ✆ via gmail.com

21/07/2011

to <FOURSQUARE-SUPPORT> We don't agree.

It is not made clear that you are going to scan for my contacts and upload
them.

You should explicitly make me aware and ask for permission in advance of doing
that.

Furthermore, your tone and wilfully ignoring my legitimate complaint is
annoying.

\-------------------------------------------------------------------------------------------------------------------
<FOURSQUARE-SUPPORT> ✆

21/07/2011

to <MYNAME> <MYNAME>, I'm sorry you feel that way! I have spent time talking
to four different engineers (two server engineers about what info is stored
and how information is transferred, and two Android developers) about your
questions out of respect and concern for you as a user with a valid query. I
take all user questions and concerns seriously and as a member of the Product
team, pass on this sort of complaint so that we can be sensitive to that fact
that if one person is asking/upset about something, there are probably others.
Sorry if I did not do a good job of conveying the way I run community and
support for foursquare in my tone. Sometimes email is hard in that sense. I
hope you know that we care and appreciate your emails.

Best,

<FOURSQUARE-SUPPORT>

\-------------------------------------------------------------------------------------------------------------------
<FOURSQUARE-SUPPORT> ✆

21/07/2011

to <MYNAME> Also, since we don't save your contacts in anyway, I'm not sure
that we are actually "uploading" them. Is there something else that is
bothering you? Perhaps I'm not understanding your concern completely--we
aren't telling your contacts that you are using foursquare nor are we
automatically adding them as your friends, we're merely searching your phone's
contacts for other people you know who are also using foursquare so that you
can then decide which of those you'd like to send a friend request to. Can you
please let me know what part of this you find troubling so I can pass on your
concerns? Thank you! <MYNAME> ✆ via gmail.com

21/07/2011

to <FOURSQUARE-SUPPORT> Uploading means essentially the same thing as sending
for the purposes of this complaint.

uploading: present participle of up·load Verb: Transfer (data) to a larger
computer system.

As for my concern, I can only repeat myself. It is disappointing that you
don't immediately understand why this is a problem.

\-------------------------------------------------------------------------------------------------------------------
<FOURSQUARE-SUPPORT> ✆

21/07/2011

to <MYNAME> Thanks for voicing your concern. I'm passing it on.

~~~
bryne
I think they answered your question pretty thoroughly and promptly, despite
your intense neckbearding.

Certainly more thoroughly than the Path guys.

~~~
mahmud
Stop being such a zuck[1], calling security-consciouness "neckbearding".

[1] A zuck: someone who, due to a combination of ignorance and malice, is
dismissive of others' efforts to improve their security and protect their
privacy.

~~~
jacobolus
I believe the “neckbearding” referred to berating this poor support staffer
for his/her lack of technical expertise. The guy/gal was pretty clearly doing
the best he/she could, and the responses from the “security conscious” user
could have conveyed the same message with a lot less condescension.

~~~
cbs
_The guy/gal was pretty clearly doing the best he/she could_

Awww... The little guy was doing his best. Oh, wait. You're not talking about
a puppy? but the customer-facing front of a company?

~~~
pork
Strangely, qualified engineers and security experts keep turning down the
consumer-facing support jobs.

------
bri3d
I wrote a little MobileSubstrate (Jailbroken iPhone) shim to intercept the
most common API used to access this data, block its use, and alert the user
when it's happening.

<https://github.com/bri3d/AddressBookPrivacy/downloads>

It should be available in the BigBoss repository as "Address Book Privacy"
sometime tomorrow.

My tweak catches and displays the use of address book data as it happens, and
based on my observations I think the Hipster version of address book theft is
a lot less egregious than the Path one. Hipster accesses your address book
only when you ask it to "Find Friends" - "Contacts" is selected by default.
While this certainly shouldn't be the case, it's nowhere near as bad as Path,
which sends all your contacts without asking _every time you log in_ (along
with again if you select "Find Friends").

~~~
ryanpetrich
ABAddressBookCopyArrayOfAllPeople is implemented as a direct branch to
ABCCopyArrayOfAllPeople. Right after that are the
ABAddressBookGetPersonWithRecordID and ABAddressBookGetPersonCountShowingLinks
functions and they will be wiped out by the closure generated by
MSHookFunction. The proper function to hook is
ABCCopyArrayOfAllPeopleInSourceWithSortOrdering. See my similar package for an
example: <https://github.com/rpetrich/ContactPrivacy>

Kudos to beating me to a release.

~~~
bri3d
This version is substantially better than mine - in addition to the correct
hook mentioned in the parent comment, ryanpetrich's code uses a private
CoreFoundation API rather than UIAlert which is both safe to access from non-
main threads and blocking, making the tweak both simpler (no dispatch or
blocks) and allowing it to pop up a "yes/no" dialog.

I've updated the README in my GitHub repo to point here and I'm considering
ContactPrivacy a better replacement for AddressBookPrivacy at this time.

Here's to hoping Apple does something like this in a future release of iOS.

------
jazzychad
Surprise! Likewise, Instagram uploads your contact list to their servers
(phone numbers, names, emails) to help find friends (confirmed with mitmproxy
as well). At least you have to click "Find from my contact list" first.

This practice is super-common. The last ordeal around this was a year or so
ago with Kik, but then everyone stopped caring. At least Instagram is over
https.

~~~
LaGrange
Uh, if they do it after clicking "Find from my contact list", this is
_totally_ different, that's opt-in. I do think it should be possible to opt-
out from being findable this way, but that's a separate, if related issue.

~~~
reidmain
There is also a difference between "uploads" and "sends".

If they send my address book to their servers, compare it with current users
and then discard it that is pretty good for an opt-in process.

A lot of this seems to be they upload the address book to their servers and
store it permanently. The fact that they don't state this and don't ask for
permission is disturbing.

------
splrb
Thank goodness Apple is scrutinizing all these apps. I definitely like my
walled garden well curated.

~~~
foobarbazetc
Do you really expect Apple to MITM _every_ app (and update) to make sure that
every developer in the world isn't sending random stuff to their servers?

Are you really that anti-Apple to believe that?

Blame the developer, not the distributor.

~~~
Kylekramer
I've bitched about how restrictive Apple is with the App Store plenty, but
that ship has sailed a long time ago. But once you decided to have a
restrictive app store and declare to provide "freedom from programs that steal
your private data" (<http://gawker.com/5539717/>), be the best damn
restrictive app store you can be and actually provide freedom from programs
that steal your private data. Apple has inserted themselves as necessary
component in the developer-customer relationship of iOS (and even declared
privacy as one of the reasons why they are necessary), so they damn well
should take some blame here.

------
Greenisus
As an iOS developer, I've been surprised all along that the SDK gives you full
access to the address book without asking for permission (like Core Location
and the Apple Push Notification Service). I've always thought that would one
day change, and I suspect that posts like this and the one about Path will
make that happen.

~~~
k-mcgrady
I'm also an iOS developer although I've never needed to use the Address Book
API's. I always presumed that some sort of permission was required I'm really
surprised it isn't. I actually think this is a bigger privacy concern than
location access as not only are you giving away access to your contact details
but everyone who has trusted you with theirs.

~~~
panacea
But we are living in a FaceBook World™. And 'contacts sharing' with companies
is completely ubiquitous.

I understand the complaints about all this, but isn't there a massive elephant
in the room that everyone has temporarily forgotten?

------
zackzackzack
Making a prediction: When you wake up tomorrow morning, the front page will be
filled with stories like these about every type of app you can think of. It
will only get worse from here.

~~~
benologist
Worse is an interesting choice of words .... if a bunch of companies get
shamed into respecting people's privacy then that's great, and if it gets the
ball rolling and triggers the wrath of app stores ... that's even better.

~~~
mdonahoe
Worse meaning that these two apps are only the tip of the iceberg. The privacy
damage is worse than we expect.

------
Uchikoma
One has to ask, why don't they upload hashes? This would be sufficient to
check for friends (email,telephone).

Why do they upload real data? Do they sell it? What happens when they go
bankrupt?

~~~
mdonahoe
It's slightly more work, and devs are lazy?

Hashing doesn't really solve the entire problem, though it does prevent the
service from getting addresses it doesn't already know. Allowing an app to see
your contact list is an act of faith.

Maybe bloom filters can save us? :)

------
jnye131
This isn't new or surprising. Working as an iPhone contractor you get asked to
do this sort of stuff all the time. Companies that give something away for
free want your data. Simple.

If someone was going to audit all the popular social apps in the app store I'm
sure that the vast majority would behave in exactly the same way.

------
plasma
What the hell, I definitely don't want some random app I installed getting
access to my contacts, phone numbers, private notes and more.

FARK.

------
iscrewyou
Android's "permissions" in the market aren't looking so bad now are they?

~~~
robocat
I am normally careful to check permissions, but foolishly installed Skype app
(I think Skype uploads complete phone address book when first run).

And I wonder how many PhoneGap based applications (iPhone or Android) have XSS
flaws that a hacker can springboard to snarf the local address book???!!!

~~~
robocat
XSS flaws like:
[http://www.theregister.co.uk/2011/09/20/skype_for_iphone_con...](http://www.theregister.co.uk/2011/09/20/skype_for_iphone_contact_theft/)

------
atldev
This is, of course, happening in a lot of apps and websites. I wrote a quick
note about making it easier to understand TOS here:
[http://clearsignal.posterous.com/do-we-value-our-laundry-
mor...](http://clearsignal.posterous.com/do-we-value-our-laundry-more-than-
our-privacy). Within minutes, olefoo pointed out that
<http://khulaproject.com/> has already tried. Seems like something that could
help.

------
Shank
Why would you not use HTTPS? At minimum? It doesn't take a genius to figure
out how to launch a man in the middle attack and watch traffic from these
devices. I'm actually surprised someone hasn't created a tool that just sniffs
requests from apps, whilst stripping out important information.

------
markchang
Hipster CEO also apologizes for address-book-gate :).

[http://techcrunch.com/2012/02/08/hipster-ceo-also-
apologizes...](http://techcrunch.com/2012/02/08/hipster-ceo-also-apologizes-
for-address-book-gate-calls-for-application-privacy-summit-guest-post/)

------
luckydev
PATH = BITCH

------
artemvv
Unbelievable.

------
baddox
I do not understand why anyone is complaining about anything other than
perhaps Apple's choice to make this an app-level permission rather than a
"one-off" permission.

~~~
mdonahoe
Other reasons: 1\. We are publicly shaming these apps to promote better
behavior. 2\. We are educating each other to be careful when using these apps.

------
dumdumacct
If apps spelled everything they were doing out for you all as you seem to
want, you'd have something equivalent to a TOS to read. Only instead of legal
jargon it would be technical jargon. You'd never read it. And then when it
came out that the app was doing something that was described in it, you'd
bitch and moan and complain just like you are doing now.

I would venture to guess that a large majority of apps in the app store (iOS
and Android) do the same thing Hipster, Path and other mentioned in this
thread do and you don't even know. I don't even what to know what Google and
Apple themselves are doing without telling anyone.

TL;DR: Get over it. Move on.

~~~
k-mcgrady
>> "Get over it."

What a stupid response. I'm not a huge privacy advocate but this is a massive
breach of trust/privacy. Not only are apps taking your personal contact
information but the contact information of everyone you have in your address
book. So regardless of your stance on privacy, the privacy of all of your
contacts is also at stake.

~~~
dumdumacct
If I thought these companies were going to do something malicious with the
data then it would be an issue. These companies aren't spammers. They aren't
criminals. They don't plan to do anything malicious with the data. Your
privacy, my privacy or any of my contacts privacy isn't at risk. It's not at
risk but I don't think someone at Hipster is going through the data and using
it in any way.

~~~
Xylakant
I'll accept the point that maybe hipster or path are not (yet) sifting through
the data they obtained, however, sometimes startups go bankrupt and someone
buys whatever assets are left over. Address data may get sold to a buyer with
a different view of privacy. Servers may get hacked and data gets lost. Keep
in mind that if you're using hipster/path you're not only risking your data
but also the private data of anyone you have in your address book. It's one
thing if friends of mine decide that they hand out their phone number, it's
another thing if they decide to hand out mine.

