Mac OS X tool sniffs out iOS contact-snoop apps

Australian security consultant reckons it’s a breach of Privacy Act.

Security vendor Veracode has released a tool for Mac OS X (but not Windows) that detects any iOS app that could be sending its makers a user's contact lists and calendar data.

The aptly named, AdiOS, which apparently stands for Address book Detector for iOS, scans iOS apps in an iTunes directory to assess which ones access a device's address book.

The tool was released in response to the controversy brewing over the privacy boo-boo by social network Path, outed last week for having uploaded its users' entire contact lists without asking for their permission.

The company has since apologised for the practice and released an update that removes the feature. But while Apple has said Path violated its developer agreement, US lawmakers are now directing questions at Apple about the rigour of its controls and additional concerns that there is a "quiet understanding" amongst iOS app developers that its acceptable to collect and transmit those details.

Veracode's utility lets anyone concerned about this practice to identify an app that may have already done this by seeking out any app that contains a reference to an iOS API call that Apple provides developers, ABAddressBookCopyArrayOfAllPeople.

That doesn't mean apps ADiOS detects necessarily did what Path did, but the tool will flag which ones have the potential to do so, Veracode researcher Mark Kriegsman explained.

Kriegsman wrote that of the 450 iOS apps on his Mac, 50 appeared to call the API, including well-known apps as Angry Birds, an app from Citibank and several Google apps. "A number of lesser-known games do it, too. Why do all of these apps need to dump my entire address book? The quantity of apps with this ability really caught us off guard," wrote Kriegsman.

On the than hand, he points out that many apps use this data for legitimate reasons, such as helping users maker connections, and that users shouldn't be surprised by the practice.

"Talking to the Veracode Research team about this iOS address book madness, the consensus was that none of this should come to a surprise to anyone who’s been following mobile development or security research for mobile platforms," wrote Kriegsman.

Did Path breach Australia's Privacy Act?

Whether or not collecting user's contact data without permission is an accepted practice amongst developers misses the point, according to Stephen Wilson, a security consultant who operates the Australian business, Lockstep.

In the context of Australia's Privacy Act, Path and other app makers that actually collect the list almost certainly break the law, in particular if an app maker is taking a contact list, which he believes would be considered personal information (PI), and doubly-so if it's done without permission.

"If PI gets into a company's system, then they have collected it. No ifs, no buts. PI taken from the public domain is still counted as a Collection," Wilson told cso.com.au by email. "Now when an app calls up the contact list, an important legal-technicality will be whether an organsiation somewhere up the line is taking the PI from the app.

"I think that if some weird app made the function call but did nothing more with the PI is probably not breaching the law. The PI needs to be collected by an entity."

Phone lists might just be a collection of names and numbers, but Wilson argues they are also "rich with descriptors", which may detail the relationship of the contact with the owner, for example, "shrink" or "abortion clinic".

"If a phone owner happened to work at a Women's Refuge or was a psychiatrist, then the address list is dynamite."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Heartbleed panic drives flood of enquiries to Symantec's Melbourne CA

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]

Comments

kenedy123

1

New Release!!!
Security vendor Veracode has released a tool for Mac OS X (but not Windows) that detects any iOS app that could be sending its makers a user's contact lists and calendar data

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

ZENworks® Endpoint Security Management

Secure, identity-based protection for your endpoints

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.