14 DAY TRIAL // In a statement provided to All Things D, an Apple spokesman has confirmed that Apple is going to release a fix for a flaw in iOS that currently allows third party applications to upload a user’s entire address book to the cloud.
It all began with an app called Path that spurred quite bit of controversy earlier this month when a Singapore-based developer discovered that it was uploading users’ contacts to remote servers, in a plain text file - unencrypted.
Arun Thampi, an iOS developer himself, made his discovery while using Path in a hackathon.
“Now I don’t remember having given permission to Path to access my address book and send its contents to its servers,” he wrote on his blog, “so I created a completely new ‘Path’ and repeated the experiment and I got the same result – my address book was in Path’s hands.”
A commenter on Arun’s blog later noted that “[sections] 17.1 and 17.2 of the [App Store] approval guidelines specifically forbids what [Path is] currently doing."
The discovery prompted thorough examinations of other iOS applications which, to nobody’s surprise, did the same thing. The flaw, however, was on the iOS side.
Apple has now officially responded to the fiasco, issuing a statement to the WSJ-owned All Things D blog. Apple spokesman Tom Neumayr said.
“Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines. We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release.”
While Apple is known to be actively testing iOS 5.1 betas for a future release, hackers have long hinted at the possible release of an incremental iOS 5.0.2 update. Expect either one to arrive in the coming weeks with Apple’s promised fix.