An iPhone app that claims to help you "share life with the ones you love" is sharing a little bit too much information, a developer has discovered.
Path is described as a "smart journal" and is free to download in the App Store. However, the current version of the app uploads the entire contents of your address book and places it on its servers, it has emerged.
Arun Thampi, a Singapore-based iOS developer, wrote on his blog that he discovered the issue by accident while implementing a Path Mac OS X app as part of a regularly scheduled hackathon hosted by Anideo, the company he works for.
"I noticed that my entire address book (including full names, emails and phone numbers) was being sent as a plist to Path," he wrote.
"Now I don’t remember having given permission to Path to access my address book and send its contents to its servers, so I created a completely new “Path” and repeated the experiment and I got the same result – my address book was in Path’s hands."
Dave Morin, the co-founder and CEO of Path, responded to the revelations on the blog post itself. While he accepted the allegations were true, he said that there was no underhand reason for doing so and that future versions of the iOS app would make this feature opt-in.
"We actually think this is an important conversation and take this very seriously. We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path. Nothing more," Morin said.
"We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval."
However, other commenters on the blog weren't happy, pointing out that Apple's App Store guidelines appeared to have been broken. "I'd say that 17.1 and 17.2 of the approval guidelines specifically forbids what you are currently doing," wrote David Smith, who describes himself as an independent iOS developer.
"17.1: Apps cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used;
"17.2: Apps that require users to share personal information, such as email address and date of birth, in order to function will be rejected."
Morin doesn't respond to this point directly but does contribute to the thread again to insist that the company is working on an update. "We hope that the proactive steps we've been taking over the last couple of weeks on our Android client show we care deeply. We're hoping to have iOS 2.0.6 into the App Store process by the end of the week," he said.
Earlier in the thread, Morin offers to delete the data of anyone who has used the app. "If you would like your data deleted from our servers please contact our service team at firstname.lastname@example.org. We take this same policy for any of your data, if you'd like your account deleted, including all data, we're happy to do this as well.
UPDATE: The updated version of Path is now available in the iTunes App Store.