iPhone Developer Steals Customers' Phone Numbers, Calls Them
Company calls customers in attempt to sell paid version of mobile app
Within iTunes' user ratings section of iPhone application mogoRoad, a real-time traffic monitoring tool available in Switzerland, several users claim to have received phone calls from the development company behind the mobile software. Reportedly, the company is asking the app owners if they would like to purchase the paid version of the application. While unsolicited sales calls are annoying and intrusive, the bigger issue here is how did the company get its customers' phone numbers to begin with? According to mogoRoad, the information came from Apple.
The recipients of the unwanted calls said that they were contacted a few weeks after the initial installation of the mogoRoad application. An operator would then try to sell them the paid version of the mobile software. If pressed as to how the company got access to their phone number, the operator would generally respond that the information was provided by Apple.
That seems unlikely since Apple does not provide this sort of private information to App Store developers nor does it provide direct access to that information via the iPhone SDK (software development kit), the tool used by developers to build their mobile apps.
Apple Doesn't Provide Phone Numbers, but They Do Provide Access
However, it's not entirely inaccurate of the company to say that Apple did provide them with the customers' phone numbers. Although Apple doesn't directly give out this info, they do provide a relatively easy way for any app developer to retrieve mobile numbers from the phone. In other words, Apple didn't give out the numbers in question, they just provided access to them.
Although mogoRoad won't admit it, the most likely explanation as to how they retrieved the phone numbers involves the use of an undocumented feature which allows any Apple iPhone/iPod Touch application to access the phone number of the device on which it is installed. In an article on tech blog Ars Technica from earlier this year, the process of doing so was described as "a shockingly easy thing to do:"
Apple sneaks in a hidden symbolic link between the app's sandboxed preferences and a global preferences property list...Peek in Library/Preferences with "ls -a". You'll find a symbolic link to /private/var/mobile/Library/Preferences/.GlobalPreferences.plist, which is where (among other items), you'll find a preference called SBFormattedPhoneNumber. This preference provides exactly what the name implies: the user's phone number formatted to the current locale.
In checking with multiple iPhone developers this morning, we confirmed that the trick still works as described above.
It's Not a Bug, It's a Feature
Believe it or not, this isn't actually a security hole in need of patching - it's more of a feature. "It's important to remember that perfectly legit applications can reach your phone number plus your entire address book as well," Ars Technica blogger Erica Sadun wrote back in January. "Applications can also obtain personal information from most of the iPhone file system..."
While the large majority of app developers out there would never do anything quite so nefarious as what mogoRoad did and undoubtedly wouldn't want to risk alienating their customers in this fashion, it's unsettling to know that they could. And every time you install a mobile app, you're putting yourself at risk.
As of now, Apple hasn't officially responded to requests for comment as to how they will proceed with regards to this situation, either to us or to the blog originally reporting this story, French site Mac4Ever. However, given that the development company has clearly abused an undocumented feature, that should be enough to get them booted out of the App Store...hopefully for good.
Many thanks to MacWord, which pointed us to this story.
Facebook
Comments
Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts
What the?!! Hmm, how the hek on earth those company manage to get our phone numbers?
It has been known for a long time that every application have full access to your Contacts on your iPhone without any warning.
Why the hell does Apple allows this. People have a false sense of security when they install an application.
That is classic. That certainly should be a controlled "feature" by Apple.
Why am I not one bit surprised at this story ? It's no different to any apps on anything. I'm sure it's exactly the same on all apps on things like facebook etc...
Ah yes. The sound of a false sense of security being shattered.
I've always laughed when the Apple Fanbois talked about how Apple needs to control the store because, if it didn't, you'd have all these apps that steal your personal information. Apple checks these apps to make sure they're not doing anything untoward.
Well, it turns out that they're not checking after all--or at least not hard enough.
In my opinion, Apple should:
1. Create an installer so that anybody can install whatever Apps they want. This way, third-party developers don't have to get any approval from Apple. But Apple doesn't host, advertise, or do anything with their Apps.
2. If you want to be in the App Store, you submit to a far more rigorous examination, including source code. Appropriate NDAs will need to be negotiated between you and Apple.
3. Anyone who doesn't agree to the above is out of the App Store and on their own.
By doing #1, Apple is not ruining the application experience for those who are interested. In fact, it will generate a wider variety of Apps, versus the hundreds of fart Apps and tip calculators that clog up the store.
By doing #2, customers can choose to only shop at the App Store where they know it's safe, that applications have been reviewed, etc.
This just waits to happen and finally it did. Platform providers like Facebook or Apple must give users more levels to tune their privacy preferences. Now apps just has too much power and some will no doubt try to exploit that.
Peter,
There's an installer for that, Cydia and Icy, and maybe other installers based on Cydia system.
The only problem is, not all people would want to jailbreak their phone. Every time there's an OS upgrade, jailbreaking needs to be done with care.
Apple will be overloaded to also maintain this type of installer.