Hacker News new | past | comments | ask | show | jobs | submit login
Hipster (like Path) uploads your address book emails to its servers (markchang.tumblr.com)
291 points by markchang on Feb 8, 2012 | hide | past | web | favorite | 77 comments

I wrote a little MobileSubstrate (Jailbroken iPhone) shim to intercept the most common API used to access this data, block its use, and alert the user when it's happening.


It should be available in the BigBoss repository as "Address Book Privacy" sometime tomorrow.

My tweak catches and displays the use of address book data as it happens, and based on my observations I think the Hipster version of address book theft is a lot less egregious than the Path one. Hipster accesses your address book only when you ask it to "Find Friends" - "Contacts" is selected by default. While this certainly shouldn't be the case, it's nowhere near as bad as Path, which sends all your contacts without asking every time you log in (along with again if you select "Find Friends").

ABAddressBookCopyArrayOfAllPeople is implemented as a direct branch to ABCCopyArrayOfAllPeople. Right after that are the ABAddressBookGetPersonWithRecordID and ABAddressBookGetPersonCountShowingLinks functions and they will be wiped out by the closure generated by MSHookFunction. The proper function to hook is ABCCopyArrayOfAllPeopleInSourceWithSortOrdering. See my similar package for an example: https://github.com/rpetrich/ContactPrivacy

Kudos to beating me to a release.

This version is substantially better than mine - in addition to the correct hook mentioned in the parent comment, ryanpetrich's code uses a private CoreFoundation API rather than UIAlert which is both safe to access from non-main threads and blocking, making the tweak both simpler (no dispatch or blocks) and allowing it to pop up a "yes/no" dialog.

I've updated the README in my GitHub repo to point here and I'm considering ContactPrivacy a better replacement for AddressBookPrivacy at this time.

Here's to hoping Apple does something like this in a future release of iOS.

I think the Hipster version of address book theft is a lot less egregious than the Path one.

At least Path did it over https. There's no excuse for sending private information over http.

Random observation from reading the source: your tweak is going to cause issues (possibly crashes) if the application is accessing the address book on a non-main thread. You should dispatch_async() that alert over to the main thread.

It actually just causes CoreAnimation fence issues and messy animations as far as I can tell, but you're entirely right. Fixing in my next commit (which also fixes some other brokenness). Even had a note in the TODO about it.

This is the first time I've used MobileSubstrate and Logos, so I'm having a lot of fun :)

update: fixed.

Since you seem to be enjoying the experience, feel free to join #theos on irc.saurik.com, it's all we discuss!

You may only be seeing CoreAnimation fencing issues, but the fact is, you're accessing main-thread-only classes from a background thread, and it has the potential to corrupt data structures which can lead to crashes and other bad behavior.

Glad to see you fixed it though.

This is an awesome little tweak. I'm really glad to see more competent people using Theos and Logos to implement useful things!

I've got one minor nit to pick, and that's that you're using Logos, but only for its %ctor directive! Not that that's a bad thing, it gets more language coverage!

You could possibly extend this to hook those parts of those apps individually or on a case-by-case basis, and present a different/better UI for them in particular.

Great to hear you like the tweak. Theos and Logos made the whole process a lot easier, so thank you!

I plan to use Logos to add a delegate class for the UIAlert such that I can pop up an "allow/deny" dialog, to start, and then to move on to a more full-featured preference system. I'm just thinking about how to block the thread requesting the address book information while I wait for the user to dismiss the alert.

I've been poking around at various Logos + Theos projects on GitHub and I'm impressed at what a little Perl magic can do - I'm definitely excited to dive deeper as I add features.

Cool. Too bad about the jailbreak requirement :).

Hipster doesn't leak as much information, but it is almost just as persistent. You can uncheck the "Contacts" button when you enter that preference, but only after the app sends your data. Also, if you come back to the screen, it reverts to checked. They are really filter buttons, and not stateful, apparently.

But yes, it doesn't happen every time.

"Too bad about the jailbreak requirement :)" :(

Jailbreaking means so many different things to different people. I know it causes issues with Apple-sanctioned updates, but sometimes those issues are just plain worth it.

All the stability issues, all the battery life issues, and all of the downsides apart from a more complicated update process are first and foremost effectively made-up. There's no solid data to back those things.

Jailbreaking has time and time again patched vulnerabilities that Apple didn't (in a timely manner), and proven that it is a valuable part of the ecosystem.

I only meant that it wouldn't improve the lives of the vast majority of iPhone users. No complaints about jailbreaking from me! :)

Nice work! However, you seemed to have forgotten to add theos as a submodule. Without it, people cannot build this on their own if they chose to do so..

Good point, although most of the tweaks I've seen on GitHub seem to omit theos and assume the user can find and install it.

I'm not a tremendous fan of submodules but this is a good use case for one; I'll add theos as a submodule and push a commit in a second.

Edit: Done, but users have to manually download ldid (presumably due to licensing issues) anyway.

Thank you for the feedback and advice!

Users have to manually download ldid only because I aspire to keep Theos a binary-free distribution: it's totally cross-platform where you have GNU make and bash (and, for Logos, perl).

I guess it is a matter of personal preference, but I see it as "why not?", especially because the THEOS environment variable is respected.

This is huge. Thanks bri3d.

Surprise! Likewise, Instagram uploads your contact list to their servers (phone numbers, names, emails) to help find friends (confirmed with mitmproxy as well). At least you have to click "Find from my contact list" first.

This practice is super-common. The last ordeal around this was a year or so ago with Kik, but then everyone stopped caring. At least Instagram is over https.

Uh, if they do it after clicking "Find from my contact list", this is totally different, that's opt-in. I do think it should be possible to opt-out from being findable this way, but that's a separate, if related issue.

There is also a difference between "uploads" and "sends".

If they send my address book to their servers, compare it with current users and then discard it that is pretty good for an opt-in process.

A lot of this seems to be they upload the address book to their servers and store it permanently. The fact that they don't state this and don't ask for permission is disturbing.

Right. Kik did it without having an opt-out. At least Instagram does it after you tell it to. Path and Hipster? They just do it. Hipster, to a lesser degree.

Same with HeyZap.

Thank goodness Apple is scrutinizing all these apps. I definitely like my walled garden well curated.

Surprise! Apple doesn't give a shit that this is happening. If they didn't want developers to have the data, they wouldn't have made the API public. Apple even touts this as a feature in their public-facing developer site!

Quote from https://developer.apple.com/technologies/ios/data-management...

"iOS apps even have access to a device’s global data such as contacts in the Address Book, and photos in the Photo Library"

This is in no way a failure of the App Review process. This is a failure in the way Apple expects user data to be treated. Lots of developers do this. The only way to stop this is a change in Apple policy, end of story.

This seems like a serious policy 'bug' indeed. The app developers have their part of the fault, but if someone just gives you free stuff, why not just take it.

Do you really expect Apple to MITM every app (and update) to make sure that every developer in the world isn't sending random stuff to their servers?

Are you really that anti-Apple to believe that?

Blame the developer, not the distributor.

I've bitched about how restrictive Apple is with the App Store plenty, but that ship has sailed a long time ago. But once you decided to have a restrictive app store and declare to provide "freedom from programs that steal your private data" (http://gawker.com/5539717/), be the best damn restrictive app store you can be and actually provide freedom from programs that steal your private data. Apple has inserted themselves as necessary component in the developer-customer relationship of iOS (and even declared privacy as one of the reasons why they are necessary), so they damn well should take some blame here.

Yes, or at least not allow open APIs that make it so simple. What else is the point of a walled garden? They're able to make sure all their other arcane rules are followed (like Amazon linking to their web store), they should be able to keep data safe.

It would be absolutely trivial for Apple to flag apps which use the Address Book APIs for closer inspection (including making sure that the user has to opt in to have their Address Book sent anywhere) - the same Apple tool which detects access to unauthorized ("private") Objective-C APIs could just as easily flag access to the AddressBook framework.

As an iOS developer, I've been surprised all along that the SDK gives you full access to the address book without asking for permission (like Core Location and the Apple Push Notification Service). I've always thought that would one day change, and I suspect that posts like this and the one about Path will make that happen.

I'm also an iOS developer although I've never needed to use the Address Book API's. I always presumed that some sort of permission was required I'm really surprised it isn't. I actually think this is a bigger privacy concern than location access as not only are you giving away access to your contact details but everyone who has trusted you with theirs.

But we are living in a FaceBook World™. And 'contacts sharing' with companies is completely ubiquitous.

I understand the complaints about all this, but isn't there a massive elephant in the room that everyone has temporarily forgotten?

I can see a good argument in favour of it - of _course_ I want non-apple apps to be able to autocomplete friends names/emails as I start typing them. And of _course_ apps need to be able to send a bunch of data "back home". Making sure that apps don't send the addressbook data from sentence 1 in a data block from sentence 2 is the problem...

The problem is that making a change like requiring authorisation (à la Core Location) for Address Book would cause backwards compatibility hell.

iOS could prompt the user for permission when the contact list is accessed, with temporarily/permanently allow/deny options. If the user says yes, the app gets access, if the user says no, the app gets "spoofed" access, to an empty contact list.

Making a prediction: When you wake up tomorrow morning, the front page will be filled with stories like these about every type of app you can think of. It will only get worse from here.

Worse is an interesting choice of words .... if a bunch of companies get shamed into respecting people's privacy then that's great, and if it gets the ball rolling and triggers the wrath of app stores ... that's even better.

Worse meaning that these two apps are only the tip of the iceberg. The privacy damage is worse than we expect.

If companies could get shamed into doing anything, the world would be a different place. But to a company there is no such thing as shame, there is only the fear that public reaction will negatively impact their bottom line.

I have little doubt. My only question/interest is - what is the most high-profile and also the most odd-ball app/company that will be found to have done this.

Beluga, Kik Messenger, Path, Hipster... Who else?

I am thinking of precise reasons why these services want the e-mail addresses in the first place. Is it to create a social network graph of the email addresses? Does this mean that all of these small services have a social graph? That doesn't seem so bad given that most people have already given that to one very large institution.

If registration requires an email, they can help you find your friends using the app.

Ah. right. Probably shows I'm still practicing abstinence i.e. no smart phone with 3G plan yet. Still seems its a lot less to be concerned about in comparison to what other organizations own. I suppose the sneaky under the hood part is what's jarring.

One has to ask, why don't they upload hashes? This would be sufficient to check for friends (email,telephone).

Why do they upload real data? Do they sell it? What happens when they go bankrupt?

It's slightly more work, and devs are lazy?

Hashing doesn't really solve the entire problem, though it does prevent the service from getting addresses it doesn't already know. Allowing an app to see your contact list is an act of faith.

Maybe bloom filters can save us? :)

This isn't new or surprising. Working as an iPhone contractor you get asked to do this sort of stuff all the time. Companies that give something away for free want your data. Simple.

If someone was going to audit all the popular social apps in the app store I'm sure that the vast majority would behave in exactly the same way.

Android's "permissions" in the market aren't looking so bad now are they?

I am normally careful to check permissions, but foolishly installed Skype app (I think Skype uploads complete phone address book when first run).

And I wonder how many PhoneGap based applications (iPhone or Android) have XSS flaws that a hacker can springboard to snarf the local address book???!!!

What the hell, I definitely don't want some random app I installed getting access to my contacts, phone numbers, private notes and more.


FourSquare Too.

Here was their response to my complaint.

Subject: Do you store my contacts?

------------------------------------------------------------------------------------------------------------------- <MYNAME> ✆ via gmail.com


to privacy Hi.

I recently downloaded the Android Foursquare application. It automatically started scanning the contacts on my phone.

Questions: 1. Does the application upload my contacts to FourSquare?

2. If so, does FourSquare store my contacts?

------------------------------------------------------------------------------------------------------------------- <FOURSQUARE-SUPPORT> ✆


to <MYNAME> We do not store or upload contacts! It's a one-time search of your phone's contacts to find friends to add on foursquare.

See more information at foursquare.com/privacy/grid and https://foursquare.com/legal/terms

------------------------------------------------------------------------------------------------------------------- <MYNAME> ✆ via gmail.com



I think you must upload my contacts to your servers to identify which ones are on foursquare.

When you upload them, do you send them in plaintext or encrypted?

------------------------------------------------------------------------------------------------------------------- <FOURSQUARE-SUPPORT> ✆


to <MYNAME> Right, yes, we do send info to the server but do not save anything. All foursquare pages are encrypted as of April 6. <MYNAME> ✆ via gmail.com


to <FOURSQUARE-SUPPORT> It's nice to know your pages are encrypted, but my question relates to when you sent all my contacts to your server from your mobile app. Did it use an encrypted connection to do this?


------------------------------------------------------------------------------------------------------------------- <FOURSQUARE-SUPPORT> ✆


to <MYNAME> yes, any information sent via any foursquare page, mobile or otherwise, is encrypted.

------------------------------------------------------------------------------------------------------------------- <MYNAME> ✆ via gmail.com


to <FOURSQUARE-SUPPORT> Thanks for the confirmation.

One final thing - it would be polite for your app to request permission before scanning my phone and uploading all my contacts to your server. Please consider it a complaint that it did not ask permission.

------------------------------------------------------------------------------------------------------------------- <FOURSQUARE-SUPPORT> ✆


to <MYNAME> We totally agree! When you download foursquare, we list the permissions that you are giving us, including scanning your contacts list (which we do not save or store). See here: http://cl.ly/18433L2s3g1T13070y0X.

------------------------------------------------------------------------------------------------------------------- <MYNAME> ✆ via gmail.com


to <FOURSQUARE-SUPPORT> We don't agree.

It is not made clear that you are going to scan for my contacts and upload them.

You should explicitly make me aware and ask for permission in advance of doing that.

Furthermore, your tone and wilfully ignoring my legitimate complaint is annoying.

------------------------------------------------------------------------------------------------------------------- <FOURSQUARE-SUPPORT> ✆


to <MYNAME> <MYNAME>, I'm sorry you feel that way! I have spent time talking to four different engineers (two server engineers about what info is stored and how information is transferred, and two Android developers) about your questions out of respect and concern for you as a user with a valid query. I take all user questions and concerns seriously and as a member of the Product team, pass on this sort of complaint so that we can be sensitive to that fact that if one person is asking/upset about something, there are probably others. Sorry if I did not do a good job of conveying the way I run community and support for foursquare in my tone. Sometimes email is hard in that sense. I hope you know that we care and appreciate your emails.



------------------------------------------------------------------------------------------------------------------- <FOURSQUARE-SUPPORT> ✆


to <MYNAME> Also, since we don't save your contacts in anyway, I'm not sure that we are actually "uploading" them. Is there something else that is bothering you? Perhaps I'm not understanding your concern completely--we aren't telling your contacts that you are using foursquare nor are we automatically adding them as your friends, we're merely searching your phone's contacts for other people you know who are also using foursquare so that you can then decide which of those you'd like to send a friend request to. Can you please let me know what part of this you find troubling so I can pass on your concerns? Thank you! <MYNAME> ✆ via gmail.com


to <FOURSQUARE-SUPPORT> Uploading means essentially the same thing as sending for the purposes of this complaint.

uploading: present participle of up·load Verb: Transfer (data) to a larger computer system.

As for my concern, I can only repeat myself. It is disappointing that you don't immediately understand why this is a problem.

------------------------------------------------------------------------------------------------------------------- <FOURSQUARE-SUPPORT> ✆


to <MYNAME> Thanks for voicing your concern. I'm passing it on.

I think they answered your question pretty thoroughly and promptly, despite your intense neckbearding.

Certainly more thoroughly than the Path guys.

Stop being such a zuck[1], calling security-consciouness "neckbearding".

[1] A zuck: someone who, due to a combination of ignorance and malice, is dismissive of others' efforts to improve their security and protect their privacy.

I believe the “neckbearding” referred to berating this poor support staffer for his/her lack of technical expertise. The guy/gal was pretty clearly doing the best he/she could, and the responses from the “security conscious” user could have conveyed the same message with a lot less condescension.

The guy/gal was pretty clearly doing the best he/she could

Awww... The little guy was doing his best. Oh, wait. You're not talking about a puppy? but the customer-facing front of a company?

Strangely, qualified engineers and security experts keep turning down the consumer-facing support jobs.

OK seriously that was some of the best support responses to a customer complaint I've read in a LONG time. The support person was super friendly, spoke to several devs internally to get a good resolution, and really tried their best to help this annoyingly persistent customer with their complaint. Calling them names is totally uncalled for here in my view.

Yeah I failed to see the problem with his complaint. He complained, they responded, and responded, and even responded unprovoked.

"Do you store my contacts" .. "no." "Ok, uh, I don't like your tone. Please respond to this new issue."

I don't think this person understands that he doesn't actually have a complaint with foursquare.

If more of us were prepared to complain about this stuff, none of us would have to complain about this stuff.

From my perspective, after reading the above conversation, FourSquare provided a good level of support, and you were a rude and unnecessarily confrontational user.

The Foursquare app says that is wants the ability to access your address book and you gave it permission to do this by installing it.

You then press the "find my friends" button and are surprised by the fact that it sends information about your friends to Foursquare?

The only valid complaint you could have is if they stored the information on their server permanently but based on this conversation they don't which is the best procedure.

The second you click "find my friends" you've opted into this. How the hell do you think they are finding out who your friends are? Magic?

There is a fine line between annoying the user and doing things without their permission and in this scenario Foursquare is better than the majority of other applications out there.

" Furthermore, your tone and wilfully ignoring my legitimate complaint is annoying. "

It is standard customer service industry faux-friendliness/faux-compassion. It is infuriating but I guess it works on the idiot majority of customers because most companies talk this way

What a horribly pessimistic view. It's clear that they were working hard to help, what's your reasoning for thinking like that?

This is, of course, happening in a lot of apps and websites. I wrote a quick note about making it easier to understand TOS here: http://clearsignal.posterous.com/do-we-value-our-laundry-mor.... Within minutes, olefoo pointed out that http://khulaproject.com/ has already tried. Seems like something that could help.

Why would you not use HTTPS? At minimum? It doesn't take a genius to figure out how to launch a man in the middle attack and watch traffic from these devices. I'm actually surprised someone hasn't created a tool that just sniffs requests from apps, whilst stripping out important information.

Hipster CEO also apologizes for address-book-gate :).




I do not understand why anyone is complaining about anything other than perhaps Apple's choice to make this an app-level permission rather than a "one-off" permission.

Other reasons: 1. We are publicly shaming these apps to promote better behavior. 2. We are educating each other to be careful when using these apps.

If apps spelled everything they were doing out for you all as you seem to want, you'd have something equivalent to a TOS to read. Only instead of legal jargon it would be technical jargon. You'd never read it. And then when it came out that the app was doing something that was described in it, you'd bitch and moan and complain just like you are doing now.

I would venture to guess that a large majority of apps in the app store (iOS and Android) do the same thing Hipster, Path and other mentioned in this thread do and you don't even know. I don't even what to know what Google and Apple themselves are doing without telling anyone.

TL;DR: Get over it. Move on.

>> "Get over it."

What a stupid response. I'm not a huge privacy advocate but this is a massive breach of trust/privacy. Not only are apps taking your personal contact information but the contact information of everyone you have in your address book. So regardless of your stance on privacy, the privacy of all of your contacts is also at stake.

If I thought these companies were going to do something malicious with the data then it would be an issue. These companies aren't spammers. They aren't criminals. They don't plan to do anything malicious with the data. Your privacy, my privacy or any of my contacts privacy isn't at risk. It's not at risk but I don't think someone at Hipster is going through the data and using it in any way.

I'll accept the point that maybe hipster or path are not (yet) sifting through the data they obtained, however, sometimes startups go bankrupt and someone buys whatever assets are left over. Address data may get sold to a buyer with a different view of privacy. Servers may get hacked and data gets lost. Keep in mind that if you're using hipster/path you're not only risking your data but also the private data of anyone you have in your address book. It's one thing if friends of mine decide that they hand out their phone number, it's another thing if they decide to hand out mine.

hey may not be using it maliciously (I don't think they are either) but they should be handling our data more carefully. And it's possible that they may use this data in the future.

The part you should be worried about is the fact that they are taking the contact info of your friends and family. People who trusted you enough to give you their data. You/we the users should not get to make the judgement call as to whether or not we are going to give their data up.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact