PSA: Popular social network app Path uploads your entire iPhone address book to their servers... in plain text

Do you love Path, the slick, simple, moment-sharing social network app for iPhone? Well, you get ready to dial it back a notch, because apparently they're storing your entire address book, e-mail addresses and all, on their servers, and in plain text. What kind of evil deeds does Path have planned for all that data? Well, the CEO, Dave Morin, said that the data is used exclusively to notify you when your friends sign up for Path. He also claimed that it's the industry standard to transfer that personal information in plain text, even though, as one commenter points out, it could be done with representative hash codes instead. Morin also said that they intend to update the iOS version with an opt-in dialog for the feature, which is a tweak they've already rolled out on Android.

If you're not cool with the data Path already has stored on their server, you can e-mail and they'll wipe everything out for you.

The whole mess was discovered by the developer of an iPad news app called Denso. He was toying around with a new tool from that monitors the API calls made by apps by setting up a man-in-the-middle HTTP proxy.

This isn't the first time we've seen this issue on iOS. Nuance's popular Dragon Dictation faced and addressed similar concerns back in 2009. While we're prone to just hit the "allow" button on just about any app we download when prompted for access to personal data, you aren't currently getting that message when downloading Path on iOS. Even if you were, it's still pretty sketchy that this data is being transferred without being hashed, even if it's transferred over SSL. What if Path's servers got hacked? We wouldn't get much more than a "whoops" from Path. What worries me even more is that there are still a ton of other services out there just farming up personal data from not only you, but everyone you know, without your express or implicit permission.

It certainly makes me think twice when signing up for new services...

Source: Read Write Web, Denso,

Simon Sage

Editor-at-very-large at Mobile Nations, gamer, giant.

More Posts



← Previously

VooMoteZapper turns your iPhone or iPad into universal remote, leaves all your old infrareds to collect dust

Next up →

iPhone and iPad gifts for Valentine's Day

There are 13 comments. Add yours.

dloveprod says:

I didn't approve them taking that information. I'm sending that email.

Grommmm says:

I wouldn't be surprised if facebook does this too. I have friends suggested on facebook that are only in my address book, like business contacts i'd never add on facebook.

applejosh says:

I'd prefer if they made it possible to delete this data (or even the whole account) from the settings on the web site.

Watcher says:

I know where all of you live!

FlopTech says:

All your contact data? Unencrypted?
What a bunch of evil bozos.

richchestmat#IM says:

Why does iOS let these apps have access to that information?

Richard says:

Erm they are transmitting it over SSL so it's not sent unencrypted, your screenshot shows that.
However I still think iOS needs a popup for contacts access the same way as it does for location

LacLass says:

There is a statement where you say that the data are sent in plaintext ... This is not correct as the destination URL is https://..., it means that it's using SSL to encrypt the data exchange. Anyway the transfert method is not giving any hint on how the data are stored on the server.
Now the choice of sending the whole information instead of some hash is ginving you a hint about the fact that they want your information ...

Simon Sage says:

You're right, I'll clarify that in the post... I meant simply that the data wasn't hashed.

Rajiv says:

Other apps apparently perform this surreptitious upload as well; we need a list of these apps.

O says:

as far as i've seen, only my old android promted me to "allow" the app to be installed after all the services requests were disclosed. apple doesn't have anything like that. the only "allows" that i have ever seen on iOS apps are for push notifications.
in that sense, i much prefer the android platform, because you're at least seeing what the app is doing, on iOS you have absolutely no clue.

Video says:

Pretty nice post. I just stumbled upon your blog and wanted to say that I have truly loved surfing around your weblog posts. After all I will be subscribing in your feed and I hope you write again very soon!