Mac OS X tool sniffs out iOS contact-snoop apps

Australian security consultant reckons it’s a breach of Privacy Act.

Security vendor Veracode has released a tool for Mac OS X (but not Windows) that detects any iOS app that could be sending its makers a user's contact lists and calendar data.

The aptly named, AdiOS, which apparently stands for Address book Detector for iOS, scans iOS apps in an iTunes directory to assess which ones access a device's address book.

The tool was released in response to the controversy brewing over the privacy boo-boo by social network Path, outed last week for having uploaded its users' entire contact lists without asking for their permission.

The company has since apologised for the practice and released an update that removes the feature. But while Apple has said Path violated its developer agreement, US lawmakers are now directing questions at Apple about the rigour of its controls and additional concerns that there is a "quiet understanding" amongst iOS app developers that its acceptable to collect and transmit those details.

Veracode's utility lets anyone concerned about this practice to identify an app that may have already done this by seeking out any app that contains a reference to an iOS API call that Apple provides developers, ABAddressBookCopyArrayOfAllPeople.

That doesn't mean apps ADiOS detects necessarily did what Path did, but the tool will flag which ones have the potential to do so, Veracode researcher Mark Kriegsman explained.

Kriegsman wrote that of the 450 iOS apps on his Mac, 50 appeared to call the API, including well-known apps as Angry Birds, an app from Citibank and several Google apps. "A number of lesser-known games do it, too. Why do all of these apps need to dump my entire address book? The quantity of apps with this ability really caught us off guard," wrote Kriegsman.

On the than hand, he points out that many apps use this data for legitimate reasons, such as helping users maker connections, and that users shouldn't be surprised by the practice.

"Talking to the Veracode Research team about this iOS address book madness, the consensus was that none of this should come to a surprise to anyone who’s been following mobile development or security research for mobile platforms," wrote Kriegsman.

Did Path breach Australia's Privacy Act?

Whether or not collecting user's contact data without permission is an accepted practice amongst developers misses the point, according to Stephen Wilson, a security consultant who operates the Australian business, Lockstep.

In the context of Australia's Privacy Act, Path and other app makers that actually collect the list almost certainly break the law, in particular if an app maker is taking a contact list, which he believes would be considered personal information (PI), and doubly-so if it's done without permission.

"If PI gets into a company's system, then they have collected it. No ifs, no buts. PI taken from the public domain is still counted as a Collection," Wilson told by email. "Now when an app calls up the contact list, an important legal-technicality will be whether an organsiation somewhere up the line is taking the PI from the app.

"I think that if some weird app made the function call but did nothing more with the PI is probably not breaching the law. The PI needs to be collected by an entity."

Phone lists might just be a collection of names and numbers, but Wilson argues they are also "rich with descriptors", which may detail the relationship of the contact with the owner, for example, "shrink" or "abortion clinic".

"If a phone owner happened to work at a Women's Refuge or was a psychiatrist, then the address list is dynamite."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleCitigroupetworkGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts