Open Radar

 
Summary:
Many social apps ask for access to the contacts database in order to find friends already on the service. Such a feature helps both the service (which increases engagement which increases retention) and the user (who gets more value out of the service faster).

There is a way to implement this feature without actually sending the users contacts database to the server. Instead the app can hash the emails and phone numbers and send it that way. However, there is no way for a user to know if an app is doing that. Once they hit accept, the same app could also save that information to sell. Even if an app isn’t using contact data for bad purposes, it may mishandle the data out of ignorance, leaking the information.

A better approach for everyone would be if iOS allowed apps access to already privatized, hashed contact info without an authorization prompt, or with a more limited authorization status.

Steps to Reproduce:
See https://theintercept.com/2017/08/27/hit-app-sarahah-quietly-uploads-your-address-book/ and https://www.theverge.com/2012/2/7/2782947/path-ios-app-user-information-collected-privacy

Expected Results:
The hashing would need to be a) app (or even device) specific and b) reproducible. Because the idea here is to match specifically to people who already have an account, the server should know the emails and phone numbers it needs to find. So as long as it followed a specific pattern such as SHA256(lowercased(email) + secret), the server could match that assuming it had the secret.

The secret could be almost anything, and be uniqued on any number of axis, but should be made available to the app through something like CNContactStore.privacySecret.

Actual Results:
User’s have to decide between giving an app unfettered access to their address book, or missing out on a useful feature, that could be harmless.