Potentially thousands of apps could be forced to update when Apple introduces new contact data rules for App Store software, as the company reacts to outcries around content privacy. Apple confirmed the incoming data protection changes yesterday, after popular social network app Path was found to upload each user’s contacts to its servers without notifying them first. However, according to research last year, there could be thousands of apps doing similar things.
“Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines. We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release” Apple Contact Data Privacy statement
Researchers at the University of California at Santa Barbara and the International Security Systems Lab examined a sample of iOS apps (along with Android titles) in a study last year [pdf link], to see what user data was sent back to the developers’ servers. They developed a new tool, PiOS, which analyzes what information has been transmitted, and found that 0.5-percent of the apps tested sent address book data without making it as clear as with location sharing that the upload was going on.
For instance, some apps included warnings that contacts uploads might take place in their documentation, but did not show a direct alert when it took place. In contrast, apps are currently required to flag up a location warning when they want to use your current position.
Although 0.5-percent is a relatively small number, with over 500,000 apps currently in the App Store there’s plenty of scope for other Path-style behavior in third-party software. Apple is yet to confirm when the new guidelines will come into operation.