Path Uploads And Stores Your iPhone’s Entire Address Book On Its Servers


Screen shot 2012-02-07 at 4.28.03 PM

In what can only be considered the very definition of irony, it has been discovered that Path 2 for iPhone secretly uploads and stores your entire address book to its servers. In case you didn’t know, Path is a hot iOS app that offers an exclusive, confined social network experience with a limited number of people. Unlike Facebook, Path only lets you accept 150 friends, indicating the intimate, safe environment that the app creators want users to feel at home in.

Developer Arun Thampi has uncovered that Path’s current iPhone app sends all of your contacts to its servers without notifying you. Oops.

I noticed that my entire address book (including full names, emails and phone numbers) was being sent as a plist to Path. Now I don’t remember having given permission to Path to access my address book and send its contents to its servers, so I created a completely new “Path” and repeated the experiment and I got the same result – my address book was in Path’s hands.

The co-founder of Path, Dave Morin, responded to Thampi’s discovery:

Arun, thanks for pointing this out. We actually think this is an important conversation and take this very seriously. We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path. Nothing more.

We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.

Developer Matt Gemmell asked Morin if Path was violating Apple’s Terms and Conditions by not asking users to opt into uploading their address book. Morin said, “This is currently the industry best practice and the App Store guidelines do not specifically discuss contact information. However, as mentioned, we believe users need further transparency on how this works, so we’ve been proactively addressing this.” Path 2.0.6 will hit the App Store soon with the ability to remove this contact information off the app’s servers. Disgruntled users can contact to have any other personal information purged from Path’s database as well.

The Android version of Path lets users opt into sharing their address books with the app’s servers already. Morin said, “We hope that the proactive steps we’ve been taking over the last couple of weeks on our Android client show we care deeply. We’re hoping to have iOS 2.0.6 into the App Store process by the end of the week.”

  • oldwiz65

    Just goes to show how little these developers care about such silly things as customer’s privacy.  Are they also looking for other personal data, such as bank account numbers, SS numbers, and CC info?  How did Apple allow them to do this? The developer really deserves to be kicked out of the App store for being a thief.

  • Jdsonice

    I love it when a developer says “We are doing it to help you…” or “For your safety…”. It normally means “We are shafting you but please accept it with a smile”.

    If Dave Morin and Path2 were honest and had no ulterior motives they would ask the users permission. Given that they don’t – it simply means at least to me that they are underhanded, crooked and can (and will for a quick buck) sell your phonebook.

    Honest companies don’t do things like this. Like Google or not they tell you at least in the new EULA what they are doing.

    Path2 should (1) Immediately destroy all the data it collected and certify under penalty of perjury that they have done so  (2) Stop doing it.

    Of course they are dishonest and will do no such thing.

  • ??nD ??os??A

    Apple needs to fix this. Just like we can turn access to location data on/off on an individual app basis there should be settings for the address book also.  I just looked at the Apple Dev docs and amazingly there is nothing in the API that forces an app to notify the user of access, and worse, an app can write the address book without the user’s knowledge or confirmation.  
    I really liked Path and it is really sad to see them mess up like this, but the company just can’t be trusted. What else are they willing to do, and how many other apps are their that are doing this same thing with no one knowing?

  • trife ro

    This is very serious matter. Nothing to laugh at.

  • martinberoiz

    Like they did with the Patriot Act…

  • davester13

    It’s not being ‘proactive’ if you only do something about it AFTER somebody else complains that you are doing something wrong.

  • Munstr

    So it looks like iOS users are second grade citizens compared to Android users.
    Very interesting.

  • shherr

    I think they only made it opt in for android because the market lists android “permissions” before you install things, so the permission to read the address book would’ve showed up, and from what I’ve seen in the market’s reviews, a lot of android users look at those permissions and they influence app choices. 

    Don’t jump down my throat people… I use iOS and Android.

  • John cooper

    I emailed the instagram team as that was an app that off the top of my head did a similar thing, i.e. able to find contacts easily so i thought i’d ping off an email to their support


    Do you upload my addressbook contacts to ‘somewhere’ in order to better find contacts using instagram. I.e. in the same way/similar to
    The Path application


    When you choose to find your friends by navigating to your Profile > then Find Friends > and then selecting “From my contact list” Instagram uploads your contacts via a secure connection in order to locate your contacts’ accounts on Instagram. We currently do not store this information. Please let us know if there is anything else we can help with!
    The Instagram Team

    here’s what the Path app also needs to implement immediately
    an About Path tab with : 
    terms of service / usage etc… and a privacy statement
    link through to their support and a way of contacting them.


    Ha ha sheeple still dont get it! The reason this was done was to make screwgle look more attractive! But at the end of the day fool on apple for allowing it! The coming NWO govt want everyone on google, everyones data in one place, they dont want it on this server here and that server there, Jobs didnt get cancer by accident, and now jobs it out of the way the decision to take apple out by the elite has been decided and apple will fall, Its just a shame that unfortunately most will not see the bigger picture and will think this is a load of bull excrement. All is say to you is this, fool me one shame on you fool me twice shame on me! You have been warned…..Dont forget lock the doors….peace