back to article Cupertino to ban permissionless address book copying

Apple – arguably a villain in the “Path copies your address book” brouhaha – has, under pressure from US lawmakers, decided to require that apps prompt users before accessing their address book data. According to Reuters, the decision came after members of the US House Energy and Commerce committee asked Apple to provide the …

COMMENTS

This topic is closed for new posts.

Page:

  1. Henry Blackman

    I wonder...

    I wonder how many Windows Phone, Android, Blackberry etc apps have routinely done this for years too?

    Apple have done the right thing. They couldn't have acted much more quickly could they!

    1. Annihilator
      Meh

      Re: I wonder...

      Don't know about the rest but Android apps state what permissions they need in the market place. Unfortunately it seems developers go the whole hog there too - most apps I saw when I was an Android user required access to far more than was necessary.

      Weirdly, I recall J2ME apps had permission levels such as these that had to all be approved by the user. Not sure how we took a step backwards there..

      1. Anonymous Coward
        Anonymous Coward

        J2ME apps and permissions

        The reason for this is easy to see: J2ME came from mobile phone industry side and systems such as Symbian, while iOS and Android were both born in the IT and desktop computing side of things.

        On the computing side applications have been free to query this sort of data freely, without requesting ANY permission, so this same behaviour got transferred over without anyone really blinking an eye over it.

        Now, in light of this, should desktop system also change?

      2. Tom Chiverton 1

        Re: Re: I wonder...

        if you were still a 'droid, you'd see that most popular apps now explain why they want each permission. Mostly it's because "this broad permission is the only way to get the one thing I need"

    2. Mage Silver badge
      Big Brother

      Re: I wonder...

      They could have put the procedure in place from the start, years ago. Only acting when you are caught isn't very praiseworthy. You don't honestly think Apple didn't know?

      1. Giles Jones Gold badge

        Re: Re: I wonder...

        Oh come on, how many desktop applications ask you to access all the various APIs?

        I can write an application on OSX that reads all the address book and sends it off to a server. You can almost certainly do the same thing on Windows and Linux.

        The difference is people are more willing and naive when it comes to installing software on their phone.

        1. gerryg
          Terminator

          Re: Re: Re: I wonder...

          I can write an application on OSX that reads all the address book and sends it off to a server. You can almost certainly do the same thing on Windows and Linux.

          Yes, you certainly can for a *nix system, except for the, er, file permissions thing...

          http://www.tuxfiles.org/linuxhelp/filepermissions.html

          not sure if you are being rhetorical, obfuscatory or...

          1. Dan 55 Silver badge
            Coffee/keyboard

            @gerryg

            Does the user often set permissions on their own address book files so they can't read it themselves?

    3. TeeCee Gold badge
      Facepalm

      Re: I wonder...

      I suppose you're the sort of bloke who tips the stableboy for shutting the door after the horse has bolted?

      Of course Apple could have acted more quickly. They could have built in some basic bloody security around personal data at the start, rather than waiting for the inevitable moment when some scumbag syphoned it all off at their leisure.

      1. Anonymous Coward
        Anonymous Coward

        Re: Re: I wonder...

        Or Path could have adhered to apples terms.

        17.1 and 17.2 I believe, but oh no, apple is the villain again

        1. Anonymous Coward
          Anonymous Coward

          Re: Re: Re: I wonder...

          given the rigorous control apple exert over apps approved for use on their hardware, they are hardly blameless here, ya think?

        2. Chet Mannly

          Re: Re: Re: I wonder...

          "Or Path could have adhered to apples terms.

          17.1 and 17.2 I believe, but oh no, apple is the villain again"

          Apple supposedly vet every app before its allowed in the app store remember?

          So yeah, if they spent more time looking at security of apps, rather than censoring anything that might compete with their own apps this wouldn't have happened.

          That is, assuming they didn't allow this until it became public...

      2. SYNTAX__ERROR
        Boffin

        Re: Re: I wonder...

        Yes, it's possible on Windows too, but Oulook will prompt the user for permission and also asks how long permission should be granted for.

        1. chr0m4t1c

          @SYNTAX_ERROR

          A) Outlook isn't the only address book on Windows.

          B) It only does that for "unauthorised" programs, it's never asked me for permission when any of the Nokia sync programs access the address book for example.

          There's a difficult balance to be struck here, Outlook doesn't provide any simple way for me to make sure "authorised" programs are blocked or to permanently allow "unauthorised" programs.

          It's a headache for developers of all software (including those developing the OS) and it's a problem that most users don't care about until something like this happens and then they want someone to hang for it - but they'll completely forget about it in about a week and then complain bitterly that the enhanced security brought out as a result gets in the way.

    4. Anonymous Coward
      Anonymous Coward

      Re: I wonder...

      Way to miss the point Henry. I guess if Doenitz had had time to repeal the Nuremberg Laws before he got arrested, you'd be full of praise for him too.

    5. Chet Mannly

      Re: I wonder...

      Apple screen every app - they should have already known before the app hit the app store.

      They reacted quickly to bad publicity, that's all. They happily allowed developers to swipe as much data as they pleased until they got found out!

  2. This post has been deleted by its author

  3. Anonymous Coward
    Anonymous Coward

    I wonder how existing apps will react to a user saying no, will they throw an exception or will the system return a fake empty contacts list..

    By the way the "make this even better" bit tickled the author because it was quoted out of context. The full statement is:

    "Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines,” Apple spokesman Tom Neumayr told AllThingsD. “We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release."

    Now the "even better" bit is obviously referring to the fact that there were guidelines in place already, which the developers didn't follow. This policy now adds an actual enforcement step.

    1. Anonymous Coward
      Anonymous Coward

      I assume iOS will return an empty address book if access is denied. No reason to break apps unnecessarily.

      1. Destroy All Monsters Silver badge
        Mushroom

        There are far better options.

        http://docs.oracle.com/javase/1.4.2/docs/api/java/security/AccessControlException.html

        1. Doogie1

          Re: There are far better options.

          That's not any better if the application doesn't handle the exception, it will just crash. Far better to return an empty contact list.

    2. Steve Knox
      Trollface

      It cannot be!

      "Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines”

      But Apple inspects EVERY APP that is submitted to their App Store. How could one that violates their guidelines possibly have gotten through?

      Could it be that Apple's "walled garden" is more of a house of cards?

      1. Anonymous Coward
        Anonymous Coward

        Re: It cannot be!

        Hahah now people complain Apple isn't ENOUGH of a walled garden. Better get some blast-proof concrete on those walls.

        Apple doesn't get the source code for the app, nor do they check the behaviour of every function call the app makes. Apps are approved as long as they conform to the official APIs and - from the user's perspective - follow the rules.

        The contacts list stuff were all part of the official API every since iOS 2(actually called iPhone OS, back when app developers had morals)

        That's why app reviews take less than a week and not months.

        1. Doogie1

          Re: Re: It cannot be!

          "Apple doesn't get the source code for the app, nor do they check the behaviour of every function call the app makes. Apps are approved as long as they conform to the official APIs and - from the user's perspective - follow the rules."

          Maybe not but it would be trivial to have a tool that flagged access to certain APIs (contacts and location for a start) and if the use is not appropriate request clarification from the developer. I assumed this is what Apple did. If not what are they doing for their money?

        2. SYNTAX__ERROR
          Alert

          Re: Re: It cannot be! @ AC 00:44

          Apple most certainly do see the source code for every app submitted.

          1. Anonymous Coward
            Anonymous Coward

            Re: Re: Re: It cannot be! @ AC 00:44

            > Apple most certainly do see the source code for every app submitted.

            No, they don't.

            1. This post has been deleted by its author

    3. Geoff Campbell Silver badge
      Pirate

      Apple have guidelines stating that apps shouldn't behave this way. Apple vet every app that makes it into the App Store. These apps do not conform to the Apple guidelines.

      Am I the only one seeing a problem here?

      GJC

  4. Jean-Luc
    Boffin

    Why not take a page out of Android?

    Isn't there an Android mechanism for allowing apps access to system resources on an apps by apps basis?

    Let me decide if a given app needs access to something (Address Book, SMS, etc...). And put requirements in the Apps Store so that I don't buy an app that I end up not being comfortable with.

    And for the 99.5% who don't care, provide a user-configurable system default access that says "any app can/can not access features X, Y and Z". Now, I realize that it may take a while, but surely could be in iOS6.

    Problem solved.

    But don't tell me it can't be enforced by the OS and platform and that I should rely on trusting the devs because I don't buy that.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why not take a page out of Android?

      > Isn't there an Android mechanism for allowing apps access to system resources on an apps by apps basis?

      Not really, at least not in the original firmware.

      You can only decide to install the app or not based not he permissions the app says it needs. If you don't like the permissions you can't install the app. It doesn't let you selectively enable or disable permissions.

    2. Doogie1
      FAIL

      Re: Why not take a page out of Android?

      That's also assuming the application doesn't just use one the known Android exploits to bypass the permissions system completely.

  5. Anonymous Coward
    FAIL

    If only Apple had Android-like permissions...

    They wouldn't be in this PR disaster....

    1. Anonymous Coward
      Anonymous Coward

      Re: If only Apple had Android-like permissions...

      What's so great about permissions if the only thing you can do about them is not install the app?

      The reality is that ALL users of Path, Facebook, Twitter, Foursquare, etc on Android would have had to accept this wether they liked it or not.

      1. Anonymous Coward
        Anonymous Coward

        Re: Re: If only Apple had Android-like permissions...

        Then use Cyanogen, you can block permissions to specific apps on an app-by-app basis then..

      2. TeeCee Gold badge
        WTF?

        Re: Re: If only Apple had Android-like permissions...

        "What's so great about permissions if the only thing you can do about them is not install the app?"

        If an app requires permission to access your address book, when you know damned well it doesn't need to for any purpose associated with its core functionality, then the best course of action is not to install it!

        1. Shakje

          @TeeCee

          But what if it's a borderline case where accessing the address book isn't core functionality but can offer added functionality to users?

          E.g. Facebook. How many people are quite happy to trust FB (rightly or wrongly) to not do anything nefarious with their data, particularly their address book? And for all intents and purposes, it just saves you the time of adding your contacts manually, so why not allow the extra functionality for those who want it? But what if people don't want it to access their address book, but do want to update things easily on an app designed for their mobile? Do you honestly think it's good to get people into the mindset of "well it said that I could choose for it not to access my address book, so I'll just give it permission to so that I can install it"? It's far better to allow people to install apps and then prevent the usage of certain functionality if the user doesn't want it (on an OS level) rather than make the user decide between some functionality that they want, but something that they don't.

      3. Chet Mannly

        Re: Re: If only Apple had Android-like permissions...

        "What's so great about permissions if the only thing you can do about them is not install the app?"

        Simply choose an app that does what you want that doesn't require that permission - there's well over 2 dozen facebook apps for example with varying permission levels. After all, it doesn't to read the phone contact list to access your FB contacts.

        That's the beauty of a free market - whether it be android, symbian or whatever - better to have choice, and to be informed than to find out after your data is already gone!

      4. Jean-Luc

        Re: Re: If only Apple had Android-like permissions...

        But, if the system actually enforced ACL based on resource usage, with a rejection & store blacklisting if the intent to use was not disclosed in meta-data, then it would be up to the user to decide whether or not to install an app. Even better would be need to have/nice to have app requirements.

        Which is way better than installing apps that run wild on what is really very private hardware.

        FB, for all its usual complaints about them, may actually have valid reasons to scan your address book data. Or at least you might decide it would.

        But a Tetris clone requiring premium-number SMS capability would be a fishy creature indeed.

    2. Anonymous Coward
      Anonymous Coward

      Re: If only Apple had Android-like permissions...

      Not really. Looking at the list of Android permissions, the only things that iOS apps are allowed to do anyway is get your location and read your contact list, and getting your location gives you a dialog box prompt.

      Frankly I prefer it this way. My Android-using friends tell me that most apps require permissions that they have no business requiring. I would rather use a system where apps are much more locked-down.

    3. Anonymous Coward
      Anonymous Coward

      Re: If only Apple had Android-like permissions...

      What about the pre installed applications? A lot of Android phones come with Twitter and Facebook pre installed

  6. Anonymous Coward
    Anonymous Coward

    Oh it's you

    Must be Microsoft shills fault somehow

    This is an entirely non issue. . To use an Android argument - 'Buyer be ware - don't the user know what they're phone is doing' Blah.

    Live with your stalker and all is good in your key logging malware land.

    Despite todays fix, Google Wallet is still storing and sending user info in plain text - live in your dream world

    1. Anonymous Coward
      Anonymous Coward

      Re: Oh it's you

      I meant Shitpeas - the loon

      1. Tom Maddox Silver badge
        Paris Hilton

        Re: Oh it's you

        Here's a question for the ages: is there such a thing as an anonymous sock puppet?

    2. Anonymous Coward
      Anonymous Coward

      Re: Oh it's you

      Hope you can use a computer better than you can write "English". You must have a lot of buggy, crashing programmes and scripts, unless all you do is point and click.

  7. Anonymous Coward
    Anonymous Coward

    On Android - Only if you root

    ..and after that, only if you have a custom ROM that can block such permissions and even ads (in all fairness if you have rooted your android it's only an app away, available on the market).

    Otherwise you either grant the permission, or you won't install the software, so it's not good.

    Android must incorporate some sort of default "permission" setting, per app or system-wide.

    I do not use the Facebook app, or the official Twitter (Plume is much prettier anyway), or the 4square thing, or the Whatsapp thing, just for this reason. I've already shared my address book with Google, and that's enough exposure already.

    1. Anonymous Coward
      Anonymous Coward

      Re: On Android - Only if you root

      What app is that? Only found WhisperCore, but it's "Temporarily Unavailable".

      1. Anonymous Coward
        Anonymous Coward

        Re: Re: On Android - Only if you root

        Try LBE Privacy Guard

    2. Chet Mannly

      Re: On Android - Only if you root

      "Otherwise you either grant the permission, or you won't install the software, so it's not good."

      Just choose another app that doesn't need those permissions.

      Simple, and everyone is informed...

  8. Anonymous Coward
    Anonymous Coward

    It's about time

    I have discussed (argued about) mobile OS security with friends for years. I love the iOS model of sandboxing but the ability of apps to read your contact list has always seemed like a very bizarre exception to their security model. I don't want ANY apps reading my contact list under any circumstances.

    A year or two ago there was an app that allowed you to see a video feed from a friend's iPhone camera. Cool app but it also spammed your whole contact list with an email telling them to download the app. Absolutely unacceptable. Many people were very upset about this but unfortunately it didn't trigger a re-think on Apple's side at the time.

  9. Anonymous Coward
    Anonymous Coward

    Sorry for the stupid question but I'm on Android (SGS 2), how can I stop apps I already have from accessing my address book?

Page:

This topic is closed for new posts.

Other stories you might like