Apple has patched a little-known App Store loophole that enabled developers to harvest data on iOS users contacts, thereby limiting third-party access to potentially unprotected sources of personal information. Previously announced Apple privacy safeguards applied to the users own data, but not that of their contacts, creating a treasure trove of information that could be used individually or via compositing from multiple users with contacts in common. As explained in a new report from Bloomberg, iOS app developers have been allowed to request a users permission to access address book or contact data, which, if granted, enabled aggregation of multiple types of information about friends, family, and business associates — names, phone numbers, email addresses, profile photos, birth dates, home and work addresses, and information on how recently the contact was created. This information could be transferred virtually anywhere as soon as a user grants permission, without any tracking or other information being sent to Apple. The issue is that unlike the apps user, who has the ability to choose whether her information is shared, the contact is never asked for that permission, nor given any opportunity to withdraw it. Developers are able to sell that information to data brokers and leverage knowledge of your contacts to advertise items to you with endorsements from friends and family, akin to Facebooks your friends already like this product page feature. Some developers have bulk-texted friends of users using contact information to help build user bases for their services. Apples change blocks apps from contacting people using contact- or photo-gathered information, except at the explicit initiative of that user on an individualized basis. Developers are also required to provide a clear advance description of how the contacting message will appear to the recipient. The rules also bar developers from making, sharing, or selling databases of shared contact information, as well as using the information for previously undisclosed purposes. But theres no way to go back and either block or retrieve data previously shared. You can turn off the faucet going forward, but whatevers been given to developers is already out there.
Developers explicitly can't sell info to third parties. Apple updated its app guidelines last week, and while the biggest news was a widespread ban on cryptocurrency mining, the company also tightened its grip on what developers can and can't do with user info. Specifically, it restricted apps' abilities to collect, harness and share anyone's contact information. Per Bloomberg, app developers have been abusing their access to users' contact info for years. Their apps ask for access first, then harvesting the data for marketing purposes or even selling it outright -- all without permission from the contacts affected. Apple's updates to the App Store guidelines now prohibit developers from making databases of info gleaned from address books, nor can they request access to contact info under one pretense and then use it for something else -- they have to get consent for what they're actually using it for. And selling that data to third parties is now forbidden. Apple isn't making these changes in response to any particular scandal, though its CEO Tim Cook certainly criticized Facebook during the Cambridge Analytica scandal for that company's misuse of user data. (He later rejected the assertion that Apple inappropriately received any personal info from the social media company during this time period.) But following the implementation of the EU's privacy-intensive GDPR last month, restricting third parties' potential access to data sourced from users on Apple's devices seems a smart move anyway.
Apple has quietly tightened its App Store rules to better protect users from developers who want to harvest their data or sell it to third parties. Previously, developers would ask for users phone contacts and sometimes then sold that data without the explicit consent of the users or their contacts, according to Bloomberg, which spotted the change. The changes to the rules, which were made last week, explicitly state that developers are banned from turning address books into a database of contacts and from selling that database. They also cant turn data into user profiles. Developers can still ask users for contact lists for use within their app, but theyll have to tell users exactly what theyre going to do with the data. If they have more than one purpose in mind, theyll have to ask for further consent. Facebook came under fire in March for allowing a third-party developer to obtain the data of over 87 million people during the Cambridge Analytica fiasco. The timing of the new App Store rules seems to indicate Apple is trying to prevent similar data misuse from its developers. But the company cant do anything about the data thats already been collected and potentially sold by developers. And while Apple can remove apps from developers who violate these rules, it doesnt have full control over what those developers choose to do with the data once its obtained from users, which is the same problem that Facebook ran into.