Do you love Path, the slick, simple, moment-sharing social network app for iPhone? Well, you get ready to dial it back a notch, because apparently they're storing your entire address book, e-mail addresses and all, on their servers, and in plain text. What kind of evil deeds does Path have planned for all that data? Well, the CEO, Dave Morin, said that the data is used exclusively to notify you when your friends sign up for Path. He also claimed that it's the industry standard to transfer that personal information in plain text, even though, as one commenter points out, it could be done with representative hash codes instead. Morin also said that they intend to update the iOS version with an opt-in dialog for the feature, which is a tweak they've already rolled out on Android.
If you're not cool with the data Path already has stored on their server, you can e-mail [email protected] and they'll wipe everything out for you.
The whole mess was discovered by the developer of an iPad news app called Denso. He was toying around with a new tool from mitmproxy.org that monitors the API calls made by apps by setting up a man-in-the-middle HTTP proxy.
This isn't the first time we've seen this issue on iOS. Nuance's popular Dragon Dictation faced and addressed similar concerns back in 2009. While we're prone to just hit the "allow" button on just about any app we download when prompted for access to personal data, you aren't currently getting that message when downloading Path on iOS. Even if you were, it's still pretty sketchy that this data is being transferred without being hashed, even if it's transferred over SSL. What if Path's servers got hacked? We wouldn't get much more than a "whoops" from Path. What worries me even more is that there are still a ton of other services out there just farming up personal data from not only you, but everyone you know, without your express or implicit permission.
It certainly makes me think twice when signing up for new services...