It should be available in the BigBoss repository as "Address Book Privacy" sometime tomorrow.
My tweak catches and displays the use of address book data as it happens, and based on my observations I think the Hipster version of address book theft is a lot less egregious than the Path one. Hipster accesses your address book only when you ask it to "Find Friends" - "Contacts" is selected by default. While this certainly shouldn't be the case, it's nowhere near as bad as Path, which sends all your contacts without asking every time you log in (along with again if you select "Find Friends").
Kudos to beating me to a release.
I've updated the README in my GitHub repo to point here and I'm considering ContactPrivacy a better replacement for AddressBookPrivacy at this time.
Here's to hoping Apple does something like this in a future release of iOS.
At least Path did it over https. There's no excuse for sending private information over http.
This is the first time I've used MobileSubstrate and Logos, so I'm having a lot of fun :)
Glad to see you fixed it though.
I've got one minor nit to pick, and that's that you're using Logos, but only for its %ctor directive! Not that that's a bad thing, it gets more language coverage!
You could possibly extend this to hook those parts of those apps individually or on a case-by-case basis, and present a different/better UI for them in particular.
I plan to use Logos to add a delegate class for the UIAlert such that I can pop up an "allow/deny" dialog, to start, and then to move on to a more full-featured preference system. I'm just thinking about how to block the thread requesting the address book information while I wait for the user to dismiss the alert.
I've been poking around at various Logos + Theos projects on GitHub and I'm impressed at what a little Perl magic can do - I'm definitely excited to dive deeper as I add features.
Hipster doesn't leak as much information, but it is almost just as persistent. You can uncheck the "Contacts" button when you enter that preference, but only after the app sends your data. Also, if you come back to the screen, it reverts to checked. They are really filter buttons, and not stateful, apparently.
But yes, it doesn't happen every time.
Jailbreaking means so many different things to different people. I know it causes issues with Apple-sanctioned updates, but sometimes those issues are just plain worth it.
All the stability issues, all the battery life issues, and all of the downsides apart from a more complicated update process are first and foremost effectively made-up. There's no solid data to back those things.
Jailbreaking has time and time again patched vulnerabilities that Apple didn't (in a timely manner), and proven that it is a valuable part of the ecosystem.
I'm not a tremendous fan of submodules but this is a good use case for one; I'll add theos as a submodule and push a commit in a second.
Edit: Done, but users have to manually download ldid (presumably due to licensing issues) anyway.
Thank you for the feedback and advice!
This practice is super-common. The last ordeal around this was a year or so ago with Kik, but then everyone stopped caring. At least Instagram is over https.
If they send my address book to their servers, compare it with current users and then discard it that is pretty good for an opt-in process.
A lot of this seems to be they upload the address book to their servers and store it permanently. The fact that they don't state this and don't ask for permission is disturbing.
Quote from https://developer.apple.com/technologies/ios/data-management...
"iOS apps even have access to a device’s global data such as contacts in the Address Book, and photos in the Photo Library"
This is in no way a failure of the App Review process. This is a failure in the way Apple expects user data to be treated. Lots of developers do this. The only way to stop this is a change in Apple policy, end of story.
Are you really that anti-Apple to believe that?
Blame the developer, not the distributor.
I understand the complaints about all this, but isn't there a massive elephant in the room that everyone has temporarily forgotten?
Why do they upload real data? Do they sell it? What happens when they go bankrupt?
Hashing doesn't really solve the entire problem, though it does prevent the service from getting addresses it doesn't already know. Allowing an app to see your contact list is an act of faith.
Maybe bloom filters can save us? :)
If someone was going to audit all the popular social apps in the app store I'm sure that the vast majority would behave in exactly the same way.
And I wonder how many PhoneGap based applications (iPhone or Android) have XSS flaws that a hacker can springboard to snarf the local address book???!!!
Here was their response to my complaint.
Subject: Do you store my contacts?
<MYNAME> ✆ via gmail.com
I recently downloaded the Android Foursquare application. It automatically started scanning the contacts on my phone.
1. Does the application upload my contacts to FourSquare?
2. If so, does FourSquare store my contacts?
We do not store or upload contacts! It's a one-time search of your phone's contacts to find friends to add on foursquare.
See more information at foursquare.com/privacy/grid and https://foursquare.com/legal/terms
I think you must upload my contacts to your servers to identify which ones are on foursquare.
When you upload them, do you send them in plaintext or encrypted?
Right, yes, we do send info to the server but do not save anything. All foursquare pages are encrypted as of April 6.
<MYNAME> ✆ via gmail.com
It's nice to know your pages are encrypted, but my question relates to when you sent all my contacts to your server from your mobile app. Did it use an encrypted connection to do this?
yes, any information sent via any foursquare page, mobile or otherwise, is encrypted.
Thanks for the confirmation.
One final thing - it would be polite for your app to request permission before scanning my phone and uploading all my contacts to your server. Please consider it a complaint that it did not ask permission.
We totally agree! When you download foursquare, we list the permissions that you are giving us, including scanning your contacts list (which we do not save or store). See here: http://cl.ly/18433L2s3g1T13070y0X.
We don't agree.
It is not made clear that you are going to scan for my contacts and upload them.
You should explicitly make me aware and ask for permission in advance of doing that.
Furthermore, your tone and wilfully ignoring my legitimate complaint is annoying.
I'm sorry you feel that way! I have spent time talking to four different engineers (two server engineers about what info is stored and how information is transferred, and two Android developers) about your questions out of respect and concern for you as a user with a valid query. I take all user questions and concerns seriously and as a member of the Product team, pass on this sort of complaint so that we can be sensitive to that fact that if one person is asking/upset about something, there are probably others. Sorry if I did not do a good job of conveying the way I run community and support for foursquare in my tone. Sometimes email is hard in that sense. I hope you know that we care and appreciate your emails.
Also, since we don't save your contacts in anyway, I'm not sure that we are actually "uploading" them. Is there something else that is bothering you? Perhaps I'm not understanding your concern completely--we aren't telling your contacts that you are using foursquare nor are we automatically adding them as your friends, we're merely searching your phone's contacts for other people you know who are also using foursquare so that you can then decide which of those you'd like to send a friend request to. Can you please let me know what part of this you find troubling so I can pass on your concerns? Thank you!
<MYNAME> ✆ via gmail.com
Uploading means essentially the same thing as sending for the purposes of this complaint.
uploading: present participle of up·load
Verb: Transfer (data) to a larger computer system.
As for my concern, I can only repeat myself. It is disappointing that you don't immediately understand why this is a problem.
Thanks for voicing your concern. I'm passing it on.
Certainly more thoroughly than the Path guys.
 A zuck: someone who, due to a combination of ignorance and malice, is dismissive of others' efforts to improve their security and protect their privacy.
Awww... The little guy was doing his best. Oh, wait. You're not talking about a puppy? but the customer-facing front of a company?
"Do you store my contacts" .. "no." "Ok, uh, I don't like your tone. Please respond to this new issue."
I don't think this person understands that he doesn't actually have a complaint with foursquare.
You then press the "find my friends" button and are surprised by the fact that it sends information about your friends to Foursquare?
The only valid complaint you could have is if they stored the information on their server permanently but based on this conversation they don't which is the best procedure.
The second you click "find my friends" you've opted into this. How the hell do you think they are finding out who your friends are? Magic?
There is a fine line between annoying the user and doing things without their permission and in this scenario Foursquare is better than the majority of other applications out there.
It is standard customer service industry faux-friendliness/faux-compassion. It is infuriating but I guess it works on the idiot majority of customers because most companies talk this way
I would venture to guess that a large majority of apps in the app store (iOS and Android) do the same thing Hipster, Path and other mentioned in this thread do and you don't even know. I don't even what to know what Google and Apple themselves are doing without telling anyone.
TL;DR: Get over it. Move on.
What a stupid response. I'm not a huge privacy advocate but this is a massive breach of trust/privacy. Not only are apps taking your personal contact information but the contact information of everyone you have in your address book. So regardless of your stance on privacy, the privacy of all of your contacts is also at stake.
The part you should be worried about is the fact that they are taking the contact info of your friends and family. People who trusted you enough to give you their data. You/we the users should not get to make the judgement call as to whether or not we are going to give their data up.