Social networking app Path hit the headlines yesterday after it turned out the company was taking users’ entire address books and uploading them to their servers.
It’s a big privacy violation, but Path’s hardly the only one doing this. In fact, computer engineering professor Mark Chang has just discovered that Hipster, the popular photo-filter postcards app, does the exact same thing as Path: sucks up your contacts and squirts them into their servers.
Chang writes on his blog:
The Hipster app, in an unsecured HTTP GET request, sends a big chunk of your iPhone address book in the form of an email param that includes a comma-separated list of email addresses…
…[t]his is offensive for a few reasons:
1. Hipster never asked me for permission to send my address book emails to them.
2. Hipster does not say anything (AFAIK) about if they are storing those emails or what.
3. The Hipster app allows you to deselect the “Contacts” button when looking for new friends, but it is enabled by default. Therefore, there is no way to avoid sending address book emails to Hipster, as far as I can tell.
This is ridiculous. When an app needs to access a contacts on Android, the system warns the user. Surely, Apple can program the same functionality into iOS, similarly to the way Location-Based services can work.
Anyone want to make any bets on how many other apps we find have been doing this over the next few days? In the meantime, you can protect yourself from having your contacts downloaded by app developers by downloading this Cydia tweak.