Hipster as well as Path upload part of your iPhone address book to its servers

Hipster as well as Path upload part of your iPhone address book to its servers »

This is shocking that such top notch apps and web savvy companies would do something so reckless as pulling a users private contact list info without the users knowledge never mind consent.

Path

Even the @Scobleizer was shocked (From Google+) :

Robert Scoble - 1:55 AM - Public

Yes, +Path and +Dave Morin really screwed up here. They should have realized that uploading data without transparency would bite them in the ass sooner or later (I wish I had known).

Yes, Dave says they only use that data to try to find friends of yours who are already on the system, but that’s beside the point.

Developers have to be very careful to do the following:

1. Offer an opt-out.
2. Be transparent about what’s being sent.
3. Be transparent about what will be done with the data.
4. Offer a way to delete that data after it’s been sent.

What do you think?

markchang:

Inspired by this post (which you should all read), I looked at the apps on my own iPhone for information leakage by other apps. I figured this would be common practice, and lo and behold, when booting up Hipster, it seems like parts of my iPhone address book were being uploaded to Hipster. Here’s the breakdown, done in the style of Arun Thampi (the author of the first post).

Creating an Account

Hipster starts with a POST to api.hipster.com/v1/people

Worth noting, this is not over HTTPS, and it sends your info, including password and iPhone UID in plaintext. Ugh.

Okay, not terrible.

Several other transactions happen here, giving us acknowledgment of your login and creation of an account and user ID, and the public “Popular” feed is returned.

Sadly, the badness happens when you go to add your friends from the More > Find Friends menu option.

Badness

The Hipster app, in an unsecured HTTP GET request, sends a big chunk of your iPhone address book in the form of an email param that includes a comma-separated list of email addresses. WAT. Here it is, with the big block of email addresses redacted.

Okay, that’s enormous. Let’s just get the important bits. The HTTP GET goes to:

api.hipster.com/v1/me/friends_lookup?auth_token=[redacted]&emails=[…]

Boy. Thanks, Hipster.

The Issue

As was addressed in the other post, this is offensive for a few reasons:

Hipster never asked me for permission to send my address book emails to them.

Hipster does not say anything (AFAIK) about if they are storing those emails or what.

The Hipster app allows you to deselect the “Contacts” button when looking for new friends, but it is enabled by default. Therefore, there is no way to avoid sending address book emails to Hipster, as far as I can tell.

Thanks to the original article on Path. While it is up for debate how much of a negative impact this has on an individual’s privacy, I feel these two examples (which were easy to come by) point toward a state of lax privacy attitudes among some of the leading edge of socially-minded consumer applications.

Time to clean up a bit, right?

Comments below, or hit me up on Twitter, @mchang

About this site

Recent Tweets

Flickr Feed

Hipster as well as Path upload part of your iPhone address book to its servers »

Recent comments

Notes