X

Apple iOS developers: We'll adjust to privacy change

Developers say Apple's new mandate won't be too much of a burden, but many will need to modify apps that use address book data.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
See full bio
Elinor Mills
5 min read

iPhone apps that access address book data will need to be updated but not overhauled to comply with a new policy from Apple that mandates prior user permission, developers say.

In response to complaints that some iPhone apps were downloading the entire contents of users' address books without asking users first, Apple announced a change earlier today in its developer guidelines. Now, iOS apps will have to get explicit user permission before collecting contacts data from their phones.

The change was prompted after a blogger last week discovered that photo sharing service Path was collecting address book data unbeknownst to users. It turns out that Path wasn't the only one doing this. But the blowback started to singe Apple, which came under criticism from some bloggers who blamed the company for allowing developers to access such sensitive personal information without permission. Concerns were also raised that allowing apps to grab this data in this way contradicts Apple's own App Store privacy guidelines that prevent apps from transmitting "data about a user" without prior permission and notice about how and where the data will be used.

Shortly before Apple announced its policy change, Rep. Henry Waxman (D-Calif.) sent a letter to Apple CEO Tim Cook, asking him to explain Apple's privacy guidelines with regard to user data, how many iOS apps transmit "data about a user" and whether address book contents meet that definition. Apple has until February 29 to respond to the letter.

Apple representatives did not specify how iOS app developers will need to seek approval for address book access, but it's likely that users will see a pop-up box prompting them for a "yes" or "no" response when an app wants access to their contacts data. This is the way apps currently get permission to access location information from a user's phone.

"It will be interesting to see what Apple does. They haven't disclosed exactly how this would be enacted," said Matt Carrington, spokesman for Taxi Magic, which does not automatically download the address book and only collects certain frequently used addresses to use for suggesting locations.

"I imagine it will be similar to how they do location verification services, which is a feature we rely on very heavily. We need to get the GPS [Global Positioning System] of a phone to send a cab," Carrington said. "If you really only go from your home to work and the airport we want to be able to link that to your profile on our servers so that when you sign into our app those addresses will be associated with you so you can book a cab faster."

Related stories

Developers expect some backward compatibility issues to arise for apps that use contacts data, and those apps will need to be tweaked in order to work properly. But the work shouldn't be too much of a burden for developers, they said.

"If it's implemented the same way as location data," the prompting for permission is done by the iOS, said Phil Libin, CEO of Evernote, a note-taking app. "The only thing the developer has to do is specify what the app does if a user says 'yes' or 'no.'"

"I think it will be tricky because all of these existing apps rely on being able to access the data. If a user says 'no' what happens in that app?" said Martin May, co-founder of food finder app Forkly, which doesn't use address book data. "If a user says 'no' (the iOS) could pretend that the address book is empty. That would be one way they could implement this without breaking existing apps."

If that is how Apple implements the iOS changes, then an app developer wouldn't need to do much, theoretically, May said. "I'm pretty sure Apple will build something in that if the user says 'no' then the app will have to react accordingly."

More code changes would be needed for apps that rely on address book data, such as contact manager apps, than apps that merely use the data to suggest friends, like social networks. Apps for which address book data is crucial will need to notify the user that the data is needed in order to get full functionality out of the app, for example.

"Either way, I don't think it's a whole lot of work" for developers, May said.

In its latest update that came before Apple's policy change, mobile photo sharing service Instagram added a pop up message when users click "find friends" that says "In order to find your friends, we need to send address book information to Instagram's servers using a secure connection" followed by "Cancel" and "Allow" buttons.

And Foodspotting said it will include in its next update an additional permission after users tap "Find iPhone Contacts."

Older Nokia phones running Symbian, among others, used to seek permissions for a wide variety of app activities to the point of annoyance, according to Evernote's Libin.

As a result, May of Forkly said he "thought it was odd that iPhones didn't do this from the get-go."

iPhone app developer Dave Zohrob said he suspects developers will have some time before Apple includes an implementation for the permissions requirement for address books in iOS.

"There's no reason why Apple shouldn't make this change to require permission, and I don't think it will be too much work for developers to make the changes they need," he said. "It might affect some viral growth mechanisms for some apps, but ultimately it should be up to the user whether or not they trust the app enough to let it access their data."

This is the new iPhone message Instagram shows to users when they want to find friends from their contact list to add to follow on the photo sharing service.
This is the new iPhone message Instagram shows to users when they want to find friends from their contact list to add to follow on the photo sharing service.
Facebook app users won't see any change because a dialog box makes it clear that user's data may be shared, the company says.

Twitter is reportedly planning to update its app to make it clear when users click "Find Friends" that their address book is being downloaded.

Meanwhile, Foursquare just updated its iOS app to include this warning when people want to add friends: "To find your friends, we send your address book information to our servers. Don't worry, it's sent securely and we don't store it!"

A Foursquare spokesperson said the company had no comment on the Apple announcement.

May suggested that a good practice for apps that do grab user data is to obscure the data using a hash method so that anyone snooping on a Wi-Fi network wouldn't be able to see it. But Apple wouldn't necessarily be able to police that even if it were required.

And the Apple policy change only goes so far in protecting users from unscrupulous app developers who might try to sell the data to advertisers in that as long as permission is granted the data can be accessed, even if it is not needed for the purposes of the app.

"Users should question why does the app want the data and what is it going to do with it," said Libin of Evernote. "That distinction won't get adequately communicated just by saying 'yes' or 'no.' ... Eventually, the industry will have to grapple with this issue of intent."

CNET's Daniel Terdiman, Paul Sloan and Roger Cheng contributed to this report.