The social sharing app Path found itself in a bit of hot water today as it was reported that they were uploading user’s address book data to their servers without user opt-in. This behavior is clearly in violation of both user trust and App Store policies.
The incident got me thinking about how privacy is managed on iOS and more universally. Generally speaking there are five ways that an OS vendor can ensure the privacy of user data.
* Isolation: If the OS vendor prevents programmatic access to user data then there is no concern for privacy breaches. The data is simply unavailable to 3rd party applications. This approach provides complete security but at the cost of preventing even legitimate uses. This is the current state for things like email, voicemail, and text messages on iOS.
* Legal Contract: The OS vendor may lock down their platform so that only developers who have signed a legal agreement stating they will abide by a standard privacy policy are allowed to distribute apps. This type of restriction is not at all technical, instead it seeks to control access to sensitive data to people with a legal obligation to protect it.
* Review: The OS vendor may perform some level of either technical or functional review of an application to verify compliance with a privacy policy. This can be done either at a code (static analysis) level or done by a person performing typical user acts within the application.
* Entitlements/Sandboxing: A more rigorous version of Review, in this case application developers must explicitly state the privacy related operations will perform and then provide explanations to the reviewers when those needs are not directly related to the applications main function. This approach provides more security than simple review because developers are programmatically prevented from performing privacy related actions that they do not explicitly ask for.
* User Approval: The user is told what operations the application is going to use (either at install or performance) and then given the opportunity to allow or deny the actions. An example of this is the Permissions tab shown for any Android Market app or the location alert in iOS.
In general iOS enforces privacy via Contract & Review. The exceptions to that are the use of Isolation for email, voicemail, text messages, and other more ‘sensitive’ data. Real-time location data is given the extra protection of a User Approval.
With this approach Apple is seeking to strike a balance between capability (which would be limited by Isolation) and user annoyance (which is aggravated by User Approval). It is to say that Apple should require user’s to give explicit permission before any app may access their personal data, however, this approach is in practice no more secure than the others. Constantly nagging users with permission requests ends up making them numb to their true meaning. Users typically just end up clicking ‘allow’ for any alert without reading or fully understanding the implications. Windows Vista is the poster child for this failing.
Instead, it seems Apple has made it clear that they are committed to security by review, and more recently to enhance that via Entitlements/Sandboxing. With OS X Lion, Apple introduced application Sandboxing and Privilege Separation which will be enforced in the Mac App Store review process. This approach should allow them to weed out nefarious applications more easily and generally provide greater control. I wouldn’t be all surprised if this found its way to iOS in the next major update.
It should be noted, however, that none of these methods (except Isolation) would have likely prevented what Path was doing. The app has a perfectly reasonable reason to access your address book when searching for new contacts and setting up your account. The problem comes from them then using that data in an in appropriate way. Only deep forensic analysis of the application would bring this to light. The problem lies with nefarious developers finding ways to violate the rules, rather than with the rules being flawed themselves. Highly motivated developers will always find away to get around any security restriction—and it appears that Path was indeed highly motivated.
Your Data in iOS
I thought it might be helpful to provide a quick guide to what data is available to apps in iOS5.
- Email/Account Info: No Access
- Voicemail/Calls/FaceTime: No Access
- Text Messages: No Access
- Notes: No Access
- iTunes Account Information: No Access
- Real-time Location: Access after user approval
- Twitter Account: Access after user approval
- Photos: Access to all photos after location approval
- Address Book: Access to all contacts
- Media Library: Read-Only access to the movie, music, & podcasts
- Calendar: Access to calendar event information
- Camera/Microphone: Access while application running
- UUID: Access, but deprecated and will likely disappear soon
Update: I did a follow-up post with my opinions on address aook access in iOS here.