> The post is proof positive that path still uploads phonebooks from the app to their servers right after installing it.
Is it? The texts were coming from his phone number, which suggests they were sent from his phone (not necessarily, I know, but you said "proof positive").
I don't know how Android text message sending works, but there is likely some rate limiting to how many texts you can send so they certainly could have been queued up to be sent later.
The sent address on an SMS is as meaningless as it is on an email. SMS gateways allow the sender to use any number or caller ID. I've used it previously as a party trick, it's completely transparent to the user.
I know that, and I said so in the comment, I have used it myself in some projects. I just meant that this is not necessarily "proof positive": there are other ways they could have sent those texts without uploading the user's address book to their server.
I've received no less than two text messages from Path today - both of which were not sent from my friends phones, but rather one of those 5 digit numbers that automated texts seem to use. This is... shady to say the least.
Is it? The texts were coming from his phone number, which suggests they were sent from his phone (not necessarily, I know, but you said "proof positive").
I don't know how Android text message sending works, but there is likely some rate limiting to how many texts you can send so they certainly could have been queued up to be sent later.