Stated simply: any iOS app has complete access to a large amount
of data stored on your iPhone, including your address book and
calendar. Any iOS app can, without asking for your permission,
upload all of the information stored in your address book to its
servers. From there, the app developer can either use it to help
find your friends, store it in perpetuity, or do any number of
other things with it.
Over the course of the past day, we have been using the method
explained by Arun Thampi (who discovered Path’s privacy
violation) to investigate several dozen popular iOS apps. Our
findings should bring both comfort and concern to any iPhone user
— and to be frank the work of doing a similar investigation on
Android and other platforms remains to be done.
Makes me wonder whether any apps are playing similar shenanigans on the Mac, where most apps still have unfettered access to all your data. (I say “still” because this is one of the problems that app sandboxing is meant to mitigate, but few third-party Mac apps are sandboxed yet.)