Another iPhone app has come under fire for uploading private data from users’ address books to its own servers.
Hot on the heels of the uproar over Path, which was discovered to be sharing personal data by an iOS developer, it has emerged that Hipster, another free app, is doing essentially the same thing.
Mark Chang wrote on his blog that he had discovered that Hipster was sending data such as his password and iPhone UID to the company’s servers in plain text – not even using the encrypted HTTPS protocol.
“The Hipster app, in an unsecured HTTP GET request, sends a big chunk of your iPhone address book in the form of an email param that includes a comma-separated list of email addresses,” Chang wrote.
“Hipster never asked me for permission to send my address book emails to them. Hipster does not say anything (as fas as I know) about if they are storing those emails or what. The Hipster app allows you to deselect the “Contacts” button when looking for new friends, but it is enabled by default. Therefore, there is no way to avoid sending address book emails to Hipster, as far as I can tell.”
Chester Wisniewski of security firm Sophos was unimpressed by the actions of Path, Hipster and Apple.
“Where was Apple when the original app was released? The lengthy approval process should be looking out for its customers, not just whether it allows you to tether,” he said with reference to the case of Path.
“The Hipster app does provide you with an option when adding friends to deselect the “Contacts” button, but who would imagine selecting contacts meant sending your contacts to Hipster? If I saw that button I’d assume it would allow me to pick from my address book locally.”
Wisniewski was quick to point out that just because the companies had been gathering this data that it had been in any way misused, though.
“We aren’t suggesting these companies are going to use this information against your interests, but should they be collecting this information without your knowledge? Additionally, insecurely transporting personal information from your phone book, permission or not, is an unacceptable practice.
“The iOS permission system doesn’t provide notification of what information an app may be sending to its keepers, aside from location information.”
UPDATE: Hipster has got in touch with Macworld to offer clarification on the matter.
“We’re on it. Emails are never saved and app updates will be out ASAP with secure and explicit opt-in,” Carl Rice, a member of Hipster’s team, told Macworld.
An updated version of Path is also now available in the iTunes App Store.