Slashdot Mirror

← Back to Stories (view on slashdot.org)

Retrievable iPhone Numbers Raise Privacy Issue

Posted by kdawson on from the how-about-never-is-never-good-for-you dept.

TechnologyResource writes "When a couple of voicemails didn't show up recently, I thought nothing of it until a friend asked me if I'd gotten his message — people just don't call me that often. But the iPhone is indeed a phone, as some users are reportedly being reminded when they get phone calls from the publishers of a free app they've downloaded from the App Store. The application in question, mogoRoad, is a real-time traffic monitoring application. As invasive and despicable as that sounds, it raises another question: how did the company get hold of the contact information for those users? Mogo claims the details were provided by Apple, but Apple doesn't disclose that information to App Store vendors. French site Mac 4 Ever did some digging (scroll down for the English version) and determined it was possible — even easy — for an app to retrieve the phone number of a unit on which it was installed."

14 of 146 comments (clear)

  1. You Think That's Bad? by eldavojohn · · Score: 5, Funny

    That's nothing. You can use the Core Location Framework to figure out where they are. So I sold an application to celebrities only that shows them where the paparazzi are, it's called iAvoidPaparazzi. Then iAvoidPaparazzi sends my server their location which gets fed into another application called iMolestCelebs that I sell to tabloids and paparazzi. Then their information comes back to my server and gets fed out to iAvoidPaparazzi. Yeah it took me a few weeks to prime the pump so to speak but once this gets rolling I'm sure I'll make some huge bank off of it ... at least until I get shutdown after I take the heat for a few Princess Dianas. *sigh* A man can't make an honest living these days ...

    --
    My work here is dung.
    1. Re:You Think That's Bad? by ZackSchil · · Score: 3, Informative

      I get the whole racket thing, and it's a joke, etc, etc, but it's worth noting that you can turn the entire Core Location framework off on a system-wide basis. You just go in to Settings->General and turn off "Location Services".

    2. Re:You Think That's Bad? by BobMcD · · Score: 3, Insightful

      I guess some people are just so frugal and introverted that any use of their time or minutes results in a temper tantrum, like some arrogant teenager when the unwashed have the audacity to talk to them.

      And you'd be right in a tiny fraction of the population's cases. For the majority, however, a better guess would be that were they asked to provide their iPhone number to the vendor, they would have declined to do so. However since they were not asked and the app took the number any way, they were understandably aggravated.

      It isn't the phone call that is important at all. It is the power to decide, and with whom that power ultimately rests.

      And if you genuinely cannot see that, I can only hope you do not live in the same democracy that I do...

  2. Where's the mainstream media? by Stoutlimb · · Score: 4, Interesting

    What are the chances that mainstream media would ever do this kind of investigative journalism? Or take seriously this kind of investigation done by an individual. Mainstream media like newspapers always claim that they have the upper hand over bloggers because they can do serious investigation.... but concerned people with time on their hands far outnumber journalists. This is a great example of that... and it's very telling that no mainstream news has yet to carry this.

    And I think it's serious, because I'm sure this violates a few laws, at least in my country.

    1. Re:Where's the mainstream media? by Goaway · · Score: 5, Insightful

      This kind of investigative journalism? The kind that puts confusing and irrelevant babble about phonecalls from friends at the start of the article? I'd hope those chances are pretty low.

  3. Re:So by tonywong · · Score: 5, Informative

    I'd mod you down for not even bothering to RTFA, but claiming that it didn't say what the calls were about is a bit disingenuous.

    From the very first link:
    Several commenters on the store say theyâ€(TM)ve received phone calls from the company behind the application after they downloaded the free version, inviting them to shell out money for the full version.

  4. Re:So by tonywong · · Score: 3, Funny

    meh. of course the garbage in the post doesn't show up when you hit preview.../. please fix.

  5. Need your phone number stolen? by secretvampire · · Score: 5, Funny

    There's an app for that.

  6. Re:Applies only to jailbroken devices? by sopssa · · Score: 3, Insightful

    The Ars Technica article linked in the OP says that this applies to jailbroken iPhones.

    It doesn't say it applies to only jailbroken iPhones, it says it's easy to see with a jailbroken iPhone (since you can find the directory then)

    Both jailbroken and non-jailbroken can access it tho.

  7. Re:So by sadness203 · · Score: 3, Insightful

    It's more akin to a PC apps getting your e-mail address and sending you spam.
    With an IP address, there's not a lot of thing a publisher could do, except if it want to build a botnet.

  8. Don't touch that button by MrKaos · · Score: 3, Insightful

    If Apple really did care about your privacy then the functionality just would not exist, and at best it would be a hack. As it stands it's just an undocumented feature.

    It's great to rely on 'developer integrity' and all ya' know, but those developers are motivated by a need to generate a return. It's hard for anyone to expect a management team *not* to instruct a development team to extract said information and feed it into a marketing team. I've got two ideas for iPhone applications iWantYourMoney and iWantYourInformation supported by the iPwned you framework.

    Seriously people it's like putting a 9 year old in front of a big red button with a sign under it saying 'Do not press this button' and saying to the kid 'Don't touch that button kid'. I'd expect the management teams to be saying 'what other user information can you extract'.

    --
    My ism, it's full of beliefs.
  9. Re:Android permission model FTW by w3woody · · Score: 4, Interesting

    Please.

    The Android permissions model works if you are a geek and have the correct magic decoder ring to understand the permissions being asked for. But most people are going to blow through those settings the same way that they blow through the Windows Vista UAC alerts.

    I know: the company I'm working for is currently shipping on the Android Marketplace an application which explicitly requests the "Phone calls (read phone state)" and "Services that cost you money (directly call phone numbers)" states--and that hasn't slowed our adoption rate one whit.

    (The first is so we can read the IMEI to generate a unique identifier--which is ultimately generated as a one-way hash. The one-way hash makes it impossible for us to go back from the UUID to a specific user or phone--and it works that way because I put my foot down. (Our Prod Manager wanted the user's phone number--to which I responded "No frakkin' way. Fire my ass first.") The second is so when the user asks for more information on a particular business found in our app I can dump him into the telephony application with the phone number pre-loaded. But we do not actually initiate the phone call; the user has to press the "call" button, despite having an API to initiate the phone call ourselves. Again, I put my foot down here--before I suck your minutes I want to know that was what you really wanted.)

    Yes, we don't do anything bad. But it's not because the Android permission model slowed us down one microsecond. Thus far we've shipped over 175,000 copies. No; it's because I put my foot down--and I can see that for someone not as stubborn as me, it'd would have been easy for us to capture the location and phone number of 175,000 users and track where they were while they were using our app in real time.

  10. Nothing New Here by leapis · · Score: 4, Informative

    I have written applications on just about every smartphone plaform, and I have never met an API did that did not have the ability to query the phone number of the device. Assuming you have a data plan (in many cases, the only way to get the app in the first place), its a tiny amount of code to post that information to a web page the first time the application runs. Some platforms, such as the Android, do indicate when an application has access to use the Internet, but its not trivial to find out exactly what information is going back and forth.

    This issue has always been there, and is no more of a problem on an iPhone than other similar platforms.

  11. Re:What? by BrokenHalo · · Score: 3, Insightful

    Seems to me there's a difference between your phone number being available for an app (i.e. for the customer's convenience) and the app passing it on to any third party.

    A more honest approach would be some kind of opt-in if it has to be done at all.