Slashdot Mirror
Retrievable iPhone Numbers Raise Privacy Issue
TechnologyResource writes "When a couple of voicemails didn't show up recently, I thought nothing of it until a friend asked me if I'd gotten his message — people just don't call me that often. But the iPhone is indeed a phone, as some users are reportedly being reminded when they get phone calls from the publishers of a free app they've downloaded from the App Store. The application in question, mogoRoad, is a real-time traffic monitoring application. As invasive and despicable as that sounds, it raises another question: how did the company get hold of the contact information for those users? Mogo claims the details were provided by Apple, but Apple doesn't disclose that information to App Store vendors. French site Mac 4 Ever did some digging (scroll down for the English version) and determined it was possible — even easy — for an app to retrieve the phone number of a unit on which it was installed."
That's nothing. You can use the Core Location Framework to figure out where they are. So I sold an application to celebrities only that shows them where the paparazzi are, it's called iAvoidPaparazzi. Then iAvoidPaparazzi sends my server their location which gets fed into another application called iMolestCelebs that I sell to tabloids and paparazzi. Then their information comes back to my server and gets fed out to iAvoidPaparazzi. Yeah it took me a few weeks to prime the pump so to speak but once this gets rolling I'm sure I'll make some huge bank off of it ... at least until I get shutdown after I take the heat for a few Princess Dianas. *sigh* A man can't make an honest living these days ...
My work here is dung.
At least one server-based game I was looking at a network capture for was using the phone number as the login/authentication information to their server....rather stupid as it meant that anyone able to guess iPhone phone numbers would be able to hack other users accounts of the game...WHOOPS!
What are the chances that mainstream media would ever do this kind of investigative journalism? Or take seriously this kind of investigation done by an individual. Mainstream media like newspapers always claim that they have the upper hand over bloggers because they can do serious investigation.... but concerned people with time on their hands far outnumber journalists. This is a great example of that... and it's very telling that no mainstream news has yet to carry this.
And I think it's serious, because I'm sure this violates a few laws, at least in my country.
I'd mod you down for not even bothering to RTFA, but claiming that it didn't say what the calls were about is a bit disingenuous.
From the very first link:
Several commenters on the store say theyâ€(TM)ve received phone calls from the company behind the application after they downloaded the free version, inviting them to shell out money for the full version.
meh. of course the garbage in the post doesn't show up when you hit preview.../. please fix.
There's an app for that.
Does anyone understand how the first sentence of the summary is supposed to relate to this story at all?
Good job tagging it "coolstorybro" though, whoever did that. You made me laugh.
Sturgeon was an optimist.
Android asks you to agree that the app you are intending to install can access a list of various services etc it is then up to you whether you agree or not, you can also revoke permissions for installed apps if you change your mind later.
--- Users are like bacteria -> Each one causing a thousand tiny crises until the host finally gives up and dies.
The Ars Technica article linked in the OP says that this applies to jailbroken iPhones.
It doesn't say it applies to only jailbroken iPhones, it says it's easy to see with a jailbroken iPhone (since you can find the directory then)
Both jailbroken and non-jailbroken can access it tho.
As much as this may be on Apple, any good software developer should be asking the user for authority to share/access that information to begin with, specially if it's going to lead to sales calls down the line. Since it looks like mogoRoad didn't (at least there's no mention of this anywhere) it's telling that they really don't care about user privacy.
Apple could probably solve this by encapsulating any data on the iPhone with a framework that forces UI authorization before any app on the iPhone is allowed to access information.
.... ... }
int main (void) {
I was curious if this was possible on other devices. Seems like all the big ones have some API functionality to retrieve similar information:
- http://docs.blackberry.com/en/developers/deliverables/8540/Retrieve_phone_number_BB_device_565546_11.jsp Blackberry
- http://blogs.msdn.com/windowsmobile/archive/2004/11/28/271110.aspx Windows Mobile
- http://www.forum.nokia.com/infocenter/index.jsp?topic=/S60_5th_Edition_Cpp_Developers_Library/GUID-3EB7E846-A29F-4546-B04D-A90B009903EF.html Symbian (while on casual inspection there appears to be no function to retrieve the phone number, you can retrieve the IMEI, and be notified on events such as phone calls, at which point you can retrieve the caller ID as well as the dialed number)
- http://developer.android.com/reference/android/telephony/TelephonyManager.html Android (requires permissions be granted to the app)
It's more akin to a PC apps getting your e-mail address and sending you spam.
With an IP address, there's not a lot of thing a publisher could do, except if it want to build a botnet.
Software that steals email addresses is called "malware" and isn't sold at a marketplace managed by the OS vendor.
If Apple really did care about your privacy then the functionality just would not exist, and at best it would be a hack. As it stands it's just an undocumented feature.
It's great to rely on 'developer integrity' and all ya' know, but those developers are motivated by a need to generate a return. It's hard for anyone to expect a management team *not* to instruct a development team to extract said information and feed it into a marketing team. I've got two ideas for iPhone applications iWantYourMoney and iWantYourInformation supported by the iPwned you framework.
Seriously people it's like putting a 9 year old in front of a big red button with a sign under it saying 'Do not press this button' and saying to the kid 'Don't touch that button kid'. I'd expect the management teams to be saying 'what other user information can you extract'.
My ism, it's full of beliefs.
Please.
The Android permissions model works if you are a geek and have the correct magic decoder ring to understand the permissions being asked for. But most people are going to blow through those settings the same way that they blow through the Windows Vista UAC alerts.
I know: the company I'm working for is currently shipping on the Android Marketplace an application which explicitly requests the "Phone calls (read phone state)" and "Services that cost you money (directly call phone numbers)" states--and that hasn't slowed our adoption rate one whit.
(The first is so we can read the IMEI to generate a unique identifier--which is ultimately generated as a one-way hash. The one-way hash makes it impossible for us to go back from the UUID to a specific user or phone--and it works that way because I put my foot down. (Our Prod Manager wanted the user's phone number--to which I responded "No frakkin' way. Fire my ass first.") The second is so when the user asks for more information on a particular business found in our app I can dump him into the telephony application with the phone number pre-loaded. But we do not actually initiate the phone call; the user has to press the "call" button, despite having an API to initiate the phone call ourselves. Again, I put my foot down here--before I suck your minutes I want to know that was what you really wanted.)
Yes, we don't do anything bad. But it's not because the Android permission model slowed us down one microsecond. Thus far we've shipped over 175,000 copies. No; it's because I put my foot down--and I can see that for someone not as stubborn as me, it'd would have been easy for us to capture the location and phone number of 175,000 users and track where they were while they were using our app in real time.
I have written applications on just about every smartphone plaform, and I have never met an API did that did not have the ability to query the phone number of the device. Assuming you have a data plan (in many cases, the only way to get the app in the first place), its a tiny amount of code to post that information to a web page the first time the application runs. Some platforms, such as the Android, do indicate when an application has access to use the Internet, but its not trivial to find out exactly what information is going back and forth.
This issue has always been there, and is no more of a problem on an iPhone than other similar platforms.
There isn't a single other phone allowing this. On Symbian, you can't simply make your app "call" a number or send a sms without user getting a huge warning on screen.
Gathering phone numbers can be done only that way, there is no central "app store" which leaks user phone numbers.
I believe J2ME apps can't even try to do such sms/dial thing if they don't have a security cert.
These issues were fixed almost a decade ago, Apple ignored all the hard work done by others and rolled their own control freak store. This is just one of the results. I also saw couple of idiot developers on digg.com bragging about they know every user running their application and pirating it.That is one more scandal waiting in line to unearth.
.... and the iPhone fixed that. Is there anything that phone can't do?
Just because an app needs access to your phone number doesn't mean the developer needs access to it.
The problem here is not with the technology, but with the business ethics of the company involved. It's not like discovering the phone numbers of consumers has been outright impossible before, it's merely become simple enough in this particular instance that an unscrupulous company thought it was worth the effort.
Tha't old news people.
Anyone with half a brain has already installed on his jailbreaked iPhone the modified /etc/hosts from i-phone-home.blogspot.com.
1% APY, No fees, Online Bank https://captl1.co/2uIErYq Don't let your $$$ sit in a no-interest acct.
Seems to me there's a difference between your phone number being available for an app (i.e. for the customer's convenience) and the app passing it on to any third party.
A more honest approach would be some kind of opt-in if it has to be done at all.
Yes, schools like this prey on the uneducated
Yes, the uneducated do tend to be the target market for schools. Thanks for the insight.