Clear Cases

The next set of apps are those that are uploading your address book but do so only when you initiate an action in the app. We are differentiating these apps from the "explicit warner" apps that present a standard iOS pop-up dialog when you are about to upload contact information. Instead, you'll often tap an element that reads something like "Find friends." In all of these cases, the user is specifically requesting that the app locate people — though it's not necessarily always clear that your entire address book is being uploaded.

There are some obvious examples of apps that use this method. Twitter, Facebook, and LinkedIn are all social apps that can and do upload your address book, though in each case you need to tap a button to make it happen.

Gowalla will upload email addresses after tapping through "Find Friends" and "Address Book" without making it entirely clear that you will be uploading that information. Foodspotting is a worse case. Although it does not send any address book information until you tap "Follow People" a few levels deep, it uploads your entire email list in clear text to an insecure HTTP address. The company told Venturebeat it intends to beef up security in the next update.

A set of apps that is less obvious is games. We have found that a specific class of games can upload your contact information after you tap a button that is not entirely clear. The games are those that connect to Chillingo's "Crystal" game service, and they include both Angry Birds and Cut-The-Rope. In these cases, a user needs to go through an admittedly convoluted set of steps in order to connect their game to the Crystal network, but once connected, there is a button labelled "Invite from Contacts" with a further misleading description "Send an invite from your local contacts." Whereas on some apps, this would bring up built-in iOS dialog to select a contact, in the case of Chillingo games your address book is uploaded so that it can give you a list of names that matches the look and feel of the app. Although this method is slightly problematic, it is usually buried deep within an app's settings in a place most users won't bother with because that functionality is already handed by Apple's Game Center (more on that in a bit).

Although these apps do not present an immediate problem, as they require user interaction before uploading data, there is still a pressing question. It is not clear at all exactly what happens to this data once it's uploaded. Most of these apps do not clearly state whether or not they retain your data, offer it to third parties, use it for data mining, or delete it after you've searched for friends. There has been some talk about how common this type of data uploading is — Dustin Curtis suggests that an unnamed 13 of 15 popular social apps import and use this data. We'll also note that it's highly unlikely that most developers are doing any sort of work to anonymize your information. The vast majority of apps we tested — whether they upload your address book information or not — can and do upload other identifying information from your iPhone, including the phone's unique UDID identifier and in many cases even the "Name" of the iPhone you enter into iTunes when setting it up.

In short, these app developers can get a pretty good idea of who you are and who you know, but we don't know what they are doing with that information.