You are here

Apple stops app contact-info misuse. Shhhh, it's a secret!

Richi Jennings, Industry analyst and editor, RJAssociates

Apple is changing the rules again. iOS and macOS apps in the App Store must not misuse access to a user’s contacts.

No spamming. No selling the data. No violating GDPR. And no using for any other purpose than the one you disclosed.

But weirdly, Apple doesn’t seem to have told anyone about it. In this week’s Security Blogwatch, we do Apple’s job for it.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Trippy 

The State of Security Operations: Go Inside World SOCs

Digital herpes???

What’s the craic? Sarah Frier and Mark Gurman—Apple Tries to Stop Developers Sharing Data on Users' Friends:

The move cracks down on a practice that’s been employed for years. Developers ask users for access to their phone contacts, then use it for marketing and sometimes share or sell the information — without permission from the other people … to juice growth and make money.

Anyone caught breaking the rules may be banned. [Apple] hasn’t drawn … much attention to the recent change to its App Store rules, though.

While Apple is acting now, the company can’t go back and retrieve the data that may have been shared. … An iPhone user can go into their settings and turn off apps’ contacts permissions. That turns off the data faucet, but doesn’t return information already gathered.

[This] has been the basis of viral growth for apps like the 2016 sensation Down To Lunch, which let people invite all their friends to lunch at the same time. It’s also been a common tool in political campaigns. … ChitChat was built by Swipe Labs, a social product design studio that was using contact list access to market its new messaging service.

People complained on Twitter, where venture capitalist Chris Sacca called it "the herpes of contact lists."

Oh, that’s going to be “interesting.” Buster Hein has Apple bans apps from selling your friends’ contact info:

iOS apps that misuse iPhone owners’ contact data … are about to get slammed. … Apple revealed a number of new ways it’s trying to protect users’ privacy at WWDC 2018, but one major change that wasn’t mentioned … could have huge ramifications.

In the past, some apps would get permission to view an iPhone’s contact list saying it was for one thing and then they would turn around and use it for something else. … Apple is also forbidding apps from contacting people using information collected via a user’s contacts.

And what about the elephant in the room? Chance Miller—New App Store privacy rules could let Apple remove Facebook’s spyware-like Onavo VPN service:

In February, Facebook started rolling out a new “Protect” feature to its iOS application. [It] linked to the Onavo Protect app in the iOS App Store. Facebook acquired Onavo in 2013.

User data was being collected through Onavo and used to improve Facebook products and services. … Apple’s crackdown on harvesting user contact data could be viewed as a direct response.

At this point, the Onavo Protect application is still available via the App Store and it’s unclear what steps Apple might take to remove it – or if Facebook will be given time to change its data collection practices.

Ah, let’s kick Facebook when it’s down, eh? Dare Obasanjo dares to be cynical: [You’re fired—Ed.]

Apple realizes it has its own #CambridgeAnalytica problem from iOS apps accessing user contact lists and is now trying to close the barn door after horse has escaped.

However Apple's spin as being the anti-Facebook means press will give them a pass.

Inferences from access to contacts' email addresses is how Facebook powers features like its creepily accurate friend suggestions. This seems like way more of a concern than whether an app can get pages liked by a friend's FB ID.

It’s about time, amirite? This Anonymous Coward certainly thinks so:

Someone has finally seen sense. This has been the biggest tradgedy of the era. I honestly don’t think people realised they were selling their friends out when the click on that “access your contacts” “for your convenience” permission (if even asked).

And get with the times, it’s not about “their contact details”; it’s about their networks!

And this might not just affect startups—according to 5723alex:

So WhatsApp will be banned as the app harvests users' contact lists and shares the data with Facebook even if the users don't have a Facebook account.

Interesting. vanyel agrees:

That's one of the main reasons I don't use whatsapp - its model depends on grabbing your contact book and making a worldwide graph of connections. I'm in it whether I want to be or not simply because some of my friends use it.

But isn’t this just unnecessary nannying? Zach Tratar seems to think so:

The most recent apps that bombarded users this way saw so many 1 star reviews it destroyed their brands.

For a different reason, Mike Dudas thinks so too:

Apple ensures that today’s dominant social networks will remain dominant by shutting off access to the address book. Good luck building a useful, large community.

You can get access in one shot and if people don’t sign up, that’s it. … The biggest social networks on Earth won because of the address book scrape and are now entrenched.

[It] cements yesterday’s winners as tomorrow’s winners.

Meanwhile, Sam Friedewald couldn’t disagree more:

So they are stopping predatory "growth hacking" and you think that's bad? The tactics used by today's social networks were questionable at best.

The moral of the story?

Is your app scraping contacts? Even if you’re not misusing the data, are you sure what your (ahem) “growth hackers” are doing?

[ Webinar: SecOps Innovation—A Look Into the Future of Security Insights ]

And finally …


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Dee Teal (cc:by-nd)

[ Get Report: How to Get the Most From Your App Sec Testing Budget ]