Programatic access to iOS address book should require explicit permissions
| Originator: | mugunth.kumar | ||
| Number: | rdar://10824178 | Date Originated: | |
| Status: | Open | Resolved: | No |
| Product: | iOS | Product Version: | 5.0.1 |
| Classification: | Security | Reproducible: | Yes |
08-Feb-2012 08:38 AM Mugunth Kumar Kumar: Summary:When a third party app accesses address book using the provided C API, iOS should show a prompt to user to get his/her consent. Steps to Reproduce: Create an iOS application and write these two lines of code in viewDidLoad of the FirstViewController or AppDelegate's applicationDidFinishLaunchingWithOptions:. ABAddressBookRef addressBookRef = ABAddressBookCreate(); CFArrayRef allContacts = ABAddressBookCopyArrayOfAllPeople(addressBookRef); Expected Results: The iOS app should show a dialog requesting for user's consent to share the address book with the third party app. Actual Results: No such dialog appears. allContacts variable now has every contact information present on the device. Regression: Notes: While this is not a bug, it's a serious security flaw. High profile applications like Path has misused this and user's private data might end up in the hands of advertisers. Below is a post that shows how Path uploads address book to their servers without user's consent. http://mclov.in/2012/02/08/path-uploads-your-entire-address-book-to-their-servers.html Attached with this rdar is the source code snippet that would show you how to do this. 08-Feb-2012 08:38 AM Mugunth Kumar Kumar: 'AddressBookAccessor-1.zip' and 'AddressBookAccessor.zip' were successfully uploaded
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!