The Controversy Surrounding Path; iOS’s Address Book API
Earlier this week, Path got caught up in controversy when it was discovered that its iPhone app was uploading each user’s entire address book to Path’s servers. Today, they set things right with a public apology and an announcement that they’d deleted all of the data and released an updated version of the app that explicitly asks the user if Path can use the contact database. This was without a doubt the right move for them, but it is a result of a larger issue.
I’m shocked that Apple allowed this in the first place. Applications are given, if they so choose, full access to any iPhone’s contacts database without any user interaction whatsoever. The behavior never has to be authorized, and cannot be turned off. This isn’t the first time it’s come up, either. I, for one, won’t be contented until Apple fixes their policy and requires user authorization for address book access.
Location Services is exactly how I imagine this would work. Each app that wants access to a user’s contacts would prompt once in-app, and then control would be diverted to a switch inside Settings. A “Contact Services” menu would let the user see which apps have accessed (or are accessing) his/her contacts and turn off that access either on an app-to-app basis or all together.
It’s surprises me that this behavior has gone unchanged by Apple for almost four years now, and I wouldn’t be surprised to learn that it was actually an oversight. Hopefully the blog coverage Path has brought to the issue will get the ball rolling inside Apple, whose fix is well past due. Unfortunately, the tech press seems more interested in the bad decision making done at Path than in the shortcomings at Apple. That’s a first.