Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Retrievable iPhone Numbers Raise Privacy Issue

kdawson posted more than 4 years ago | from the how-about-never-is-never-good-for-you dept.

Cellphones 146

TechnologyResource writes "When a couple of voicemails didn't show up recently, I thought nothing of it until a friend asked me if I'd gotten his message — people just don't call me that often. But the iPhone is indeed a phone, as some users are reportedly being reminded when they get phone calls from the publishers of a free app they've downloaded from the App Store. The application in question, mogoRoad, is a real-time traffic monitoring application. As invasive and despicable as that sounds, it raises another question: how did the company get hold of the contact information for those users? Mogo claims the details were provided by Apple, but Apple doesn't disclose that information to App Store vendors. French site Mac 4 Ever did some digging (scroll down for the English version) and determined it was possible — even easy — for an app to retrieve the phone number of a unit on which it was installed."

cancel ×

146 comments

Sorry! There are no comments related to the filter you selected.

So (1, Redundant)

sopssa (1498795) | more than 4 years ago | (#29585467)

as some users are reportedly being reminded when they get phone calls from the publishers of a free app they've downloaded from the App Store.

This was an interesting bit that wasn't explained anywhere in the article. What kind of phone calls they get? Asking for user feedback of the app, marketing other products (maybe on other platforms)? Late night drunk calls?

But for that matter, I've always though that phone apps have access to your number anyway. It just makes sense, same way that PC apps have access to your IP address and other personal data saved on the machine.

Not that it's that bad anyway. Many kind of software need better access to the information to function to function. Answering machine software needs access to the phone book to show who called, or to make custom rules.

I dont think that the issue is really that the phone number and other data are available, but more on abusing said info. With Apple's really closed approach and the app store, it would probably be a good idea to send info about the abuse to Apple directly. Technically the apps require access to information to function.

As a side note, most of us probably think that "real-time traffic monitoring application" refers to internet traffic. I looked it up and it's actually about road traffic, not about internet stuff :)

Re:So (0, Offtopic)

CannonballHead (842625) | more than 4 years ago | (#29585483)

As a side note, most of us probably think that "real-time traffic monitoring application" refers to internet traffic.

Obviously this is OT, but ... wouldn't the context of an iPhone imply road traffic monitoring not network? hehe.

Tucker Max Fail (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29585515)

If there do end up being a lot of comparisons, it will go poorly, but not for us. The Hangover is probably one of the best comedies of the last ten years, but all that means is that comedy has sucked for ten years. The days of being able to pass off dogshit like The Hangover as great comedy end on September 25th. We are going to sweep in out of nowhere and shake up the comedy world. The bar will be raised.

And if you doubt me, that's cool. Stand in line behind all the other the doubters--the ones who said I couldn't be a writer, or my website couldn't be a book, or my book wouldn't be a best seller, or I couldn't write a movie, or I couldn't get that movie made, or I couldn't get the movie distributed, etc, etc, etc. They have been wrong every time in the past, and they will be wrong this time.

I'm not even the cooletht one of my friendth

Re:Tucker Max Fail (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#29585817)

Tucker Max is a useless douchebag. That he has achieved such great success as a result of his drunken-asshole shtick is proof positive that American society contains a large number of semi-literate morons.

Worse than the stroking that Tucker Max's already-overinflated ego is receiving over all this movie-related publicity, even worse than the fact that he will further line his pockets as a direct result of his overgrown frat boy antics, is the fact that, thanks to this stupidass movie, every bar will be full of drunk guys acting like dickheads, trying to imitate their shitbag hero.

And you know at least a few airheaded, chlamydia-infected sorostitutes will spread their legs for the aforementioned dickheads, thus positively reinforcing their behavior.

Re:Tucker Max Fail (-1, Flamebait)

Mister Whirly (964219) | more than 4 years ago | (#29586283)

Tucker Max is like a retarded frat boy Borat, but who isn't joking.

What? (0)

Anonymous Coward | more than 4 years ago | (#29585615)

>> I dont think that the issue is really that the phone number and other data are available

Either you have to be that app developer, or (most possibly) another apple fanboi to come up with _that_ justification.

But don't you worry. Apple will get another pass. This time too.

Re:What? (0, Redundant)

sopssa (1498795) | more than 4 years ago | (#29585653)

That same data is available on every other platform too (Symbian and Windows Mobile I can confirm, but most likely on Android and Palm too)

Re:What? (2, Interesting)

Arimus (198136) | more than 4 years ago | (#29585765)

Android asks you to agree that the app you are intending to install can access a list of various services etc it is then up to you whether you agree or not, you can also revoke permissions for installed apps if you change your mind later.

Re:What? (0)

Anonymous Coward | more than 4 years ago | (#29585813)

That's incorrect. There's no way to retrieve user's phone number on Symbian. Well, other than calling or sending a text message to your number.

Re:So (5, Informative)

tonywong (96839) | more than 4 years ago | (#29585643)

I'd mod you down for not even bothering to RTFA, but claiming that it didn't say what the calls were about is a bit disingenuous.

From the very first link:
Several commenters on the store say theyâ€(TM)ve received phone calls from the company behind the application after they downloaded the free version, inviting them to shell out money for the full version.

Re:So (3, Funny)

tonywong (96839) | more than 4 years ago | (#29585667)

meh. of course the garbage in the post doesn't show up when you hit preview.../. please fix.

Re:So (1)

sopssa (1498795) | more than 4 years ago | (#29585751)

Ah, the part that was nicely removed from the summary while keeping the first 3 paragraphs the same.

As invasive and despicable as that sounds, it raises another question:

Makes more sense in that case too.

Re:So (1, Informative)

Anonymous Coward | more than 4 years ago | (#29585669)

Generally something that has "road" in its name or description is about roads, so a traffic monitoring program with "road" in its name is somewhat obviously about road traffic.

Re:So (1)

sopssa (1498795) | more than 4 years ago | (#29585781)

You might like to take a look at the names that PC apps have too. Sometimes the name is completely off from the actual usage of the app, or is some twist to refer computer thing to a real world "equivalent"

Re:So (0)

Anonymous Coward | more than 4 years ago | (#29585857)

BS! I have never seen an application that is not completely clear on the name. More so for tech start ups. They are always clear cut names for the products or services they offer. Prove me wrong, I dare you.

Re:So (0)

Anonymous Coward | more than 4 years ago | (#29586063)

Grand Central Dispatch. Train conductor, I think not.

Re:So (1)

Yert (25874) | more than 4 years ago | (#29586395)

Microsoft Works.
Propellerheads Reason.
Autodesk Maya.
Mozilla Firefox.
Adobe Acrobat.
Intuit Quicken.
Oracle 8i. ....and I just realized that you're using sarcasm to make a point. I, however, am dense, so the point didn't get through... doh!

Re:So (3, Insightful)

sadness203 (1539377) | more than 4 years ago | (#29585949)

It's more akin to a PC apps getting your e-mail address and sending you spam.
With an IP address, there's not a lot of thing a publisher could do, except if it want to build a botnet.

Re:So (1)

Ritchie70 (860516) | more than 4 years ago | (#29586873)

I have to agree.

I would have assumed an iPhone app could access the phone's basic configuration.

It's just bad manners on the part of the app vendor to call for anything short of some sort of emergency.

Of course, as they say, there's no such thing as a free lunch. Looks like that applies to free apps too.

Re:So (1)

z0idberg (888892) | more than 4 years ago | (#29587803)

But for that matter, I've always though that phone apps have access to your number anyway. It just makes sense, same way that PC apps have access to your IP address and other personal data saved on the machine.

In my opinion a smart phone is a phone AND its also a computer/internet portal, not the two combined. There is no reason for the two to be linked or to share information. It's more like your PC apps having access to your IP address and also your street address (or even your home phone number). The two don't need to be (and shouldn't be) linked.

Sure it is possible to link the two together if needed by law enforcement or something, but it definitely shouldn't be available all the time.

Re:So (2, Insightful)

BattleApple (956701) | more than 4 years ago | (#29587839)

Just because an app needs access to your phone number doesn't mean the developer needs access to it.

You Think That's Bad? (5, Funny)

eldavojohn (898314) | more than 4 years ago | (#29585497)

That's nothing. You can use the Core Location Framework [apple.com] to figure out where they are. So I sold an application to celebrities only that shows them where the paparazzi are, it's called iAvoidPaparazzi. Then iAvoidPaparazzi sends my server their location which gets fed into another application called iMolestCelebs that I sell to tabloids and paparazzi. Then their information comes back to my server and gets fed out to iAvoidPaparazzi. Yeah it took me a few weeks to prime the pump so to speak but once this gets rolling I'm sure I'll make some huge bank off of it ... at least until I get shutdown after I take the heat for a few Princess Dianas. *sigh* A man can't make an honest living these days ...

Re:You Think That's Bad? (1, Interesting)

Anonymous Coward | more than 4 years ago | (#29585589)

That's actually the point : when an app makes use of the CoreLocation framework, an alert is displayed automatically by the iphone to request the user's permission to get his location. It should be the same when an app tries to access the user's personal data. mmmhâ¦

Re:You Think That's Bad? (3, Informative)

ZackSchil (560462) | more than 4 years ago | (#29585591)

I get the whole racket thing, and it's a joke, etc, etc, but it's worth noting that you can turn the entire Core Location framework off on a system-wide basis. You just go in to Settings->General and turn off "Location Services".

Re:You Think That's Bad? (2, Interesting)

MBCook (132727) | more than 4 years ago | (#29585763)

Plus, the first time an application tries to use it, the iPhone pops up a little notification asking you for your permission.

Re:You Think That's Bad? (1)

Threni (635302) | more than 4 years ago | (#29585787)

Plus, it's just a phone call, on your phone. Let's not get this out of proportion - I can think of worse things than getting a phone call. Have a little fun - shout and swear down the phone; make wild promises to buy stuff but pull out at the last minute with a stupid excuse etc; if you have kids, get them to answer it and talk nonsense to them until they hang up etc. It works for me.

Re:You Think That's Bad? (0)

Anonymous Coward | more than 4 years ago | (#29585889)

Unless of course your carrier charges to receive calls/txts.

Re:You Think That's Bad? (2, Interesting)

sopssa (1498795) | more than 4 years ago | (#29586055)

Which, interestingly, is only a problem in US. In every other country the caller pays for the call/sms.

Re:You Think That's Bad? (1, Informative)

Anonymous Coward | more than 4 years ago | (#29586233)

Don't forget Canada! We're as backwards as the US when it comes to cell phone carriers, only they charge us even more.

Re:You Think That's Bad? (2, Funny)

adolf (21054) | more than 4 years ago | (#29586321)

That's just because nobody actually lives there.

Re:You Think That's Bad? (2, Informative)

Khyber (864651) | more than 4 years ago | (#29588235)

Yup, it's the same 100 people using proxies in Canada to post to slashdot!

Re:You Think That's Bad? (2, Interesting)

Ilgaz (86384) | more than 4 years ago | (#29586501)

There is a hoax running especially in Europe, +358 or similar number, similar to Italy code (+35). Once you get a "ring" from that line or tricked calling it, your phone bill will be doomed. I speak about thousands of dollars (euros) here and you can't get that money back.

They can't filter the number too since telecom system only allows +35**** to be banned, which would mean Italy would get blocked.
Problem of these guys was finding juicy rich people. Just imagine some iphone freeware vendor supplies it to them, a good database of iphone owners.

I can't believe people trying to justify "freeware" vendors access to phone number. It is totally impossible on other smartphone operating systems, on Symbian you can't even dare to try it.

Re:You Think That's Bad? (2, Informative)

Kalriath (849904) | more than 4 years ago | (#29587667)

I can't believe people trying to justify "freeware" vendors access to phone number. It is totally impossible on other smartphone operating systems, on Symbian you can't even dare to try it.

Incorrect. Symbian will allow it if you're Symbian Signed®, and Windows Mobile allows it by default. Not sure about Blackberry OS.

Re:You Think That's Bad? (2, Insightful)

Threni (635302) | more than 4 years ago | (#29586637)

Exactly. Who in their right mind would want to pay for incoming calls? Bizarre? Doesn't the first company which charges YOU for the calls YOU make and doesn't make you pay for spammers and cold callers wasting your time get to pick up just about every mobile user in the States??

Re:You Think That's Bad? (1)

tengwar (600847) | more than 4 years ago | (#29586993)

I know it sound odd, but there is a small market for just that in the UK. I work for a mobile phone company, and I have two phone numbers. One is a normal mobile phone number, and you pay to ring it as usual. The other is a "landline" number - you pay at landline rates to ring it, and my company picks up the difference. There's also some fairly sophisticated PABX functionality on the "landline" number - hunt groups, black/white listing, out of hours handoffs etc. Personally I never use it, but some customers do find it useful.

No problem... (1)

denzacar (181829) | more than 4 years ago | (#29585923)

Just have the app demand the Location Services to be on.
How and why? Make that a necessary requirement for sending your "friends" "gifts", such as "teddybears", "kittens", "kisses", "pokes" etc.
You know... like on Facebook.

Re:You Think That's Bad? (0)

Anonymous Coward | more than 4 years ago | (#29587931)

Repeating "etc" is pointless, I don't know where certain people pick up this dumb habit.

Re:You Think That's Bad? (0)

Anonymous Coward | more than 4 years ago | (#29585739)

I think you should release the two apps under different provider names on the app store and have them appear to be completely different and separated from one another. This should make it difficult for the users to see something like "Other apps from ..."

Re:You Think That's Bad? (1, Redundant)

fermion (181285) | more than 4 years ago | (#29585779)

On my iphone, anytime an app wants to use my location I get a request to allow it to so do. If any app that uses the location service I know that it is happening. This is in fact what apple is supposed to be protecting us for in exchange for us agreeing that the iTunes App store is a good idea. Developers have to obey certain rules, and the user has some protection against mal ware.

So if this is happening, then it is a failure on Apples part. We do expect data on our phones to be private, and for Apple to protect that privacy.

Of course, one wonders if the phone number is private. If we make a call, that phone number is transmitted to the person we are calling. If we install an app on the iPhone, while all items on the phone we can expect to be private, I think a case can be made for and against the phone number. Of course, if there was no reason for the app to need the phone number, I would expect apple to vet for such code used to get the phone number. In this case, I can't see why they would need the number, but I don't see how it is despicable. I guess some people are just so frugal and introverted that any use of their time or minutes results in a temper tantrum, like some arrogant teenager when the unwashed have the audacity to talk to them.

Re:You Think That's Bad? (3, Insightful)

BobMcD (601576) | more than 4 years ago | (#29586217)

I guess some people are just so frugal and introverted that any use of their time or minutes results in a temper tantrum, like some arrogant teenager when the unwashed have the audacity to talk to them.

And you'd be right in a tiny fraction of the population's cases. For the majority, however, a better guess would be that were they asked to provide their iPhone number to the vendor, they would have declined to do so. However since they were not asked and the app took the number any way, they were understandably aggravated.

It isn't the phone call that is important at all. It is the power to decide, and with whom that power ultimately rests.

And if you genuinely cannot see that, I can only hope you do not live in the same democracy that I do...

Re:You Think That's Bad? (1)

R3d M3rcury (871886) | more than 4 years ago | (#29587957)

If we make a call, that phone number is transmitted to the person we are calling. If we install an app on the iPhone, while all items on the phone we can expect to be private, I think a case can be made for and against the phone number.

When I make a call, I understand that the person will receive my phone number. When I play a game of backgammon, I don't expect my number to be harvested. Tell you what--if you don't think this is a big deal, go ahead and post your phone number here on slashdot.

I've been amused recently as the iPhone Fanbois go on and on about how the App Store is such a great thing because Apple will protect their private information.

Re:You Think That's Bad? (1)

Absolut187 (816431) | more than 4 years ago | (#29586085)

My iPhone asked me if I want to let the app use my location. (e.g. when I'm using google maps).
So apparently that is just to make me feel warm and fuzzy, and the app security is really non-existent?

Re:You Think That's Bad? (1)

Jaktar (975138) | more than 4 years ago | (#29586265)

Does it ask every time you use google maps? Does it call itself Universal Access Call, or UAC for short? Just curious.

Re:You Think That's Bad? (0)

Anonymous Coward | more than 4 years ago | (#29587495)

Nice Vista reference, man.

Apps use this all the time... (2, Informative)

volxdragon (1297215) | more than 4 years ago | (#29585563)

At least one server-based game I was looking at a network capture for was using the phone number as the login/authentication information to their server....rather stupid as it meant that anyone able to guess iPhone phone numbers would be able to hack other users accounts of the game...WHOOPS!

Re:Apps use this all the time... (1)

sopssa (1498795) | more than 4 years ago | (#29585627)

Was it only the phone number that was used to auth, or some other info like phone id etc along it? No user password?

If it was just phone number, that's pretty stupid. But if you include some phone specific id aswell, it makes it a little more secure. Granted, some other app could generate the same id when installed, but with Apple's closed approach that is a little bit harder and you would need to get the both apps installed on same phone.

However that just shows that in some peoples mind extreme convenience goes further than good security.

Re:Apps use this all the time... (1)

beelsebob (529313) | more than 4 years ago | (#29586079)

It can't have only been the phone number, after all, these apps all run on iPod touches as well.

Invasive? (0)

Anonymous Coward | more than 4 years ago | (#29585605)

The application in question, mogoRoad, is a real-time traffic monitoring application. As invasive and despicable as that sounds

Wait.. why?

Re:Invasive? (1)

sopssa (1498795) | more than 4 years ago | (#29585675)

Its not about internet traffic, but road traffic data. I would guess the application sends your location to a server which in return sends traffic data back about the surroundings. I didn't find english site tho, so might be wrong.

Not that it's really invasive anyway if the user wants that kind of app.

Re:Invasive? (1, Informative)

Anonymous Coward | more than 4 years ago | (#29585921)

I know, I had to read it a few times as well. The way over the top reaction wasn't to the immediate prior sentence. It was to two sentences before. When I finally realized that the submitter flew off the handle about receiving solicitous phone calls from the company that published a free app these people had downloaded, I too, was a little ticked off at the thought of it. Of course, it wasn't until I got over the smugness of the submitter wasting my time with the whole discussion about how so few people actually call him anymore. What a douche.

My first reaction was, "why is a company burning these people's minutes?" followed by, "I thought it was illegal for businesses to make solicitation calls to cell phones" then followed by "I can't believe this smug little douchey asshole didn't register his cellphone on the Do Not Call Registry" eventually ending with, "Ahhhh, they downloaded the app, so perhaps that can be construed into their having 'a business relationship' with the vendor, thus meeting the minimum requirements for making solicitation calls."

Regardless, its still never legal to call a cellphone for the purpose of solicitation. Long story short: the submitter is probably an ESL speaker and doesn't understand the basic rules of English.

More (0)

Anonymous Coward | more than 4 years ago | (#29585613)

More kdawson FUD?

Likely withdrawal from App-store? (1)

FrostDust (1009075) | more than 4 years ago | (#29585625)

While it's rather skeevey to not make it clear to users what data your program gathers and uses, it's not clear whether this violates any of Apple's developer agreements.

At least, according to the rules that Apple seems to go by...

Where's the mainstream media? (4, Interesting)

Stoutlimb (143245) | more than 4 years ago | (#29585639)

What are the chances that mainstream media would ever do this kind of investigative journalism? Or take seriously this kind of investigation done by an individual. Mainstream media like newspapers always claim that they have the upper hand over bloggers because they can do serious investigation.... but concerned people with time on their hands far outnumber journalists. This is a great example of that... and it's very telling that no mainstream news has yet to carry this.

And I think it's serious, because I'm sure this violates a few laws, at least in my country.

Re:Where's the mainstream media? (5, Insightful)

Goaway (82658) | more than 4 years ago | (#29585853)

This kind of investigative journalism? The kind that puts confusing and irrelevant babble about phonecalls from friends at the start of the article? I'd hope those chances are pretty low.

Re:Where's the mainstream media? (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#29587883)

Just goaway. fucking fanbois.

Re:Where's the mainstream media? (0, Redundant)

plastick (1607981) | more than 4 years ago | (#29585985)

Awesome post!

Suck on this (1)

way2trivial (601132) | more than 4 years ago | (#29586289)

http://projects.nytimes.com/toxic-waters [nytimes.com]
and try your home zip here
http://projects.nytimes.com/toxic-waters/polluters [nytimes.com]

how many bloggers are going to amass that kind of data
and which reporting affects people more, and matters more.

OOH-- my ipod tells on me!
frick- my kids have liver disease....

Not just your phone number (1)

electricalen (623623) | more than 4 years ago | (#29585657)

iPhone applications can retrieve ALL information from your phonebook including names, addresses, and phone numbers. It does not need your permission either, there is no confirmation popup like with the location functions.

Applies only to jailbroken devices? (0)

Anonymous Coward | more than 4 years ago | (#29585673)

The Ars Technica article linked in the OP says that this applies to jailbroken iPhones. Further, some of the comments to that article say that they weren't successful in replicating on a non-jailbroken device... If you've jailbroken the device, who's to say that you might not get some unintended consequences like this?

Re:Applies only to jailbroken devices? (3, Insightful)

sopssa (1498795) | more than 4 years ago | (#29585769)

The Ars Technica article linked in the OP says that this applies to jailbroken iPhones.

It doesn't say it applies to only jailbroken iPhones, it says it's easy to see with a jailbroken iPhone (since you can find the directory then)

Both jailbroken and non-jailbroken can access it tho.

Re:Applies only to jailbroken devices? (1)

tylersoze (789256) | more than 4 years ago | (#29585825)

Yeah here's the API. http://www.cocoadev.com/index.pl?ABAddressBook [cocoadev.com]

I use the API in a couple of my apps actually to allow the user to select an e-mail contact.

I would expect (1)

mdarksbane (587589) | more than 4 years ago | (#29585729)

An application you installed on a system to be able to access the data on that system.

Now, should the offending app get pulled from the store? I should hope so. I would think that the developer agreement to get on the app store includes something about making proper use of that data.

Here's something you should be worried about, too - any app you install on a computer can access your address book on that computer! In fact, there are public API's to make it easy! OMG!

Re:I would expect (1)

coolsnowmen (695297) | more than 4 years ago | (#29586633)

not if that app is run under credentials that don't have access to that address book. That sounds silly for an iphone, but that is exactly why internet facing applications on my box run as their own user and not root/myuser. Apache runs with Apache privileges.

Re:I would expect (0)

R3d M3rcury (871886) | more than 4 years ago | (#29588023)

Yes, any App I install on my computer can do the same thing.

But you see, the beauty of the App Store is that Apple protects me from all of this--at least according to the fanbois. Why, without the App Store, according to them, our phones would be awash with viruses and trojan horses that did all sorts of scurrilous things to us. That's why Apple has to have it's own App Store!

Looks like the fanbois are going to start running out excuses...

Need your phone number stolen? (5, Funny)

secretvampire (622660) | more than 4 years ago | (#29585731)

There's an app for that.

Huh? (2, Interesting)

Chad Birch (1222564) | more than 4 years ago | (#29585747)

Does anyone understand how the first sentence of the summary is supposed to relate to this story at all?

Good job tagging it "coolstorybro" though, whoever did that. You made me laugh.

Re:Huh? (1)

Sir_Dill (218371) | more than 4 years ago | (#29586103)

Agreed.

This is a poorly written submission with extraneous "information" that has little to nothing to do with the actual story

Android permission model FTW (1, Offtopic)

burritozine (1573883) | more than 4 years ago | (#29585797)

This is a real-life example of how the Android permission model is pretty well thought-out. Any time you install an app from the Market, you're presented with a list of all the hardware and software resources that it utilizes. Installing a tip calculator? When you see that it needs permission to read/write contact data, access your location and have full internet access, some giant red flags should go up. True, you can't tell what exactly the app is actually doing with those powers you've granted it, but it definitely helps highlight potential shenanigans. An Android-style system could have helped identify this app as a potential privacy risk. What, exactly, does a real-time traffic app need my contact info for?

Re:Android permission model FTW (1)

sopssa (1498795) | more than 4 years ago | (#29585967)

It's not actually Android's permission model, this has been the case with Symbian since 9.0 too. When you're installing an application, it shows you what services it uses and what data it can access.

That being said, I dont like the need for certification of apps on symbian. But not like its really better on iPhone either.

Re:Android permission model FTW (4, Interesting)

w3woody (44457) | more than 4 years ago | (#29586107)

Please.

The Android permissions model works if you are a geek and have the correct magic decoder ring to understand the permissions being asked for. But most people are going to blow through those settings the same way that they blow through the Windows Vista UAC alerts.

I know: the company I'm working for is currently shipping on the Android Marketplace an application which explicitly requests the "Phone calls (read phone state)" and "Services that cost you money (directly call phone numbers)" states--and that hasn't slowed our adoption rate one whit.

(The first is so we can read the IMEI to generate a unique identifier--which is ultimately generated as a one-way hash. The one-way hash makes it impossible for us to go back from the UUID to a specific user or phone--and it works that way because I put my foot down. (Our Prod Manager wanted the user's phone number--to which I responded "No frakkin' way. Fire my ass first.") The second is so when the user asks for more information on a particular business found in our app I can dump him into the telephony application with the phone number pre-loaded. But we do not actually initiate the phone call; the user has to press the "call" button, despite having an API to initiate the phone call ourselves. Again, I put my foot down here--before I suck your minutes I want to know that was what you really wanted.)

Yes, we don't do anything bad. But it's not because the Android permission model slowed us down one microsecond. Thus far we've shipped over 175,000 copies. No; it's because I put my foot down--and I can see that for someone not as stubborn as me, it'd would have been easy for us to capture the location and phone number of 175,000 users and track where they were while they were using our app in real time.

Re:Android permission model FTW (1)

R3d M3rcury (871886) | more than 4 years ago | (#29588107)

I don't entirely agree that most users will "blow through them", but I understand that some will.

Obviously, it's a social engineering problem.

As the GP pointed out, if a tip calculator needs access to the Internet and your address book, you can legitimately say something here is amiss. If a program that sends free SMS messages needs your phone number, I'm not sure if that's legitimate or not. It seems like it would be. And even if they do need it to send SMS messages, what they do with it after that is unknown to you. They can sell it off to a telemarketing company if they so desire and there isn't a whole lot you can do about it.

Other phones allow this (1, Troll)

gilesjuk (604902) | more than 4 years ago | (#29585811)

Come on, other phones allow this.

What next? stop an application from accessing the phone book?

I'm sure you usual computer is vulnerable too, what is stopping some software stealing all your email addresses?

Re:Other phones allow this (2, Insightful)

roothog (635998) | more than 4 years ago | (#29585961)

Software that steals email addresses is called "malware" and isn't sold at a marketplace managed by the OS vendor.

Re:Other phones allow this (2, Insightful)

Ilgaz (86384) | more than 4 years ago | (#29586417)

There isn't a single other phone allowing this. On Symbian, you can't simply make your app "call" a number or send a sms without user getting a huge warning on screen.

Gathering phone numbers can be done only that way, there is no central "app store" which leaks user phone numbers.

I believe J2ME apps can't even try to do such sms/dial thing if they don't have a security cert.

These issues were fixed almost a decade ago, Apple ignored all the hard work done by others and rolled their own control freak store. This is just one of the results. I also saw couple of idiot developers on digg.com bragging about they know every user running their application and pirating it.That is one more scandal waiting in line to unearth.

Re:Other phones allow this (1, Redundant)

UnknowingFool (672806) | more than 4 years ago | (#29586603)

There isn't a single other phone allowing this. On Symbian, you can't simply make your app "call" a number or send a sms without user getting a huge warning on screen.

That's not my interpretation of the situation. The iPhone isn't being turned into some sort of botnet. If you download certain free apps on the iPhone, the apps is accessing the phone number of the phone and sending it back to the company that made the app. The company then is calling the iPhone number trying to convince the user to pay for a full version. From what I understand, allowing an application to access the phone number has been in many APIs in other phones. Whether they should without the user's permission is another story.

Confirm personal data sharing? (2, Insightful)

codeonezero (540302) | more than 4 years ago | (#29585819)

As much as this may be on Apple, any good software developer should be asking the user for authority to share/access that information to begin with, specially if it's going to lead to sales calls down the line. Since it looks like mogoRoad didn't (at least there's no mention of this anywhere) it's telling that they really don't care about user privacy.

Apple could probably solve this by encapsulating any data on the iPhone with a framework that forces UI authorization before any app on the iPhone is allowed to access information.

Similary functionality on other devices (2, Informative)

zn0k (1082797) | more than 4 years ago | (#29585841)

I was curious if this was possible on other devices. Seems like all the big ones have some API functionality to retrieve similar information:

- http://docs.blackberry.com/en/developers/deliverables/8540/Retrieve_phone_number_BB_device_565546_11.jsp [blackberry.com] Blackberry

- http://blogs.msdn.com/windowsmobile/archive/2004/11/28/271110.aspx [msdn.com] Windows Mobile

- http://www.forum.nokia.com/infocenter/index.jsp?topic=/S60_5th_Edition_Cpp_Developers_Library/GUID-3EB7E846-A29F-4546-B04D-A90B009903EF.html [nokia.com] Symbian (while on casual inspection there appears to be no function to retrieve the phone number, you can retrieve the IMEI, and be notified on events such as phone calls, at which point you can retrieve the caller ID as well as the dialed number)

- http://developer.android.com/reference/android/telephony/TelephonyManager.html [android.com] Android (requires permissions be granted to the app)

Why is that an app? (-1)

blair1q (305137) | more than 4 years ago | (#29585891)

Every time I hear of an iPhone app-store app that I hadn't heard of before, it reminds me of a web-based service or tool that I can get on my browser-enabled phone.

So what, exactly, is the point of the app store, if the iPhone has a web browser, and the web has all of the apps I've heard of?

Re:Why is that an app? (1)

sopssa (1498795) | more than 4 years ago | (#29585987)

Because you cant install apps from elsewhere than the app store - unless you jailbreak your phone, but that comes with problems too and the fact you have to do it. Windows Mobile is a lot more open in this matter, since you can install your .cab file no matter where it came from, and you're not restricted to the app store.

Re:Why is that an app? (1, Informative)

Anonymous Coward | more than 4 years ago | (#29586259)

He's referring to web applications, not local applications. But thanks for playing, Bill.

Re:Why is that an app? (1)

roothog (635998) | more than 4 years ago | (#29585991)

So what, exactly, is the point of the app store, if the iPhone has a web browser, and the web has all of the apps I've heard of?

Yes, everyone in the entire world uses only the apps that you use. It's inconceivable that other people might use their mobile devices differently than you.

Re:Why is that an app? (1)

c_forq (924234) | more than 4 years ago | (#29586119)

Interface. To me that is asking a question akin to "I have a scrolling device and a button, why do I need all these other keys?". I can just scroll to character I want and select it! Plus I don't think you can use all of the corelocation features, or the coregraphic features, or the coreaudio features, with a web app.

Re:Why is that an app? (1)

rqg (1413223) | more than 4 years ago | (#29586205)

Ever used you're web-based service on a plane? Or on the tube? Or in a place without network coverage? Not to mention, that it's a lot faster to use native applications. Also, I've never encountered a web VNC client.

Re:Why is that an app? (1)

MogNuts (97512) | more than 4 years ago | (#29586339)

I've been thinking the same thing for a looong time. Why bother with a map app--point your browser to mapquest. Why bother with search apps--point your browser to google.com. I think this is just the result of great marketing and people being dumb, versus common sense.

If anything, they should make mobile browsers better and support pages better (e.g. Slashdot on mobiles is *awful*). That would solve the whole problem and eliminate the need for this junk.

The only apps I can think of that need to be apps would be something like Pandora or a Myspace. Then again I'm not sure--it could render well on Opera Mobile...

Don't touch that button (3, Insightful)

MrKaos (858439) | more than 4 years ago | (#29586005)

If Apple really did care about your privacy then the functionality just would not exist, and at best it would be a hack. As it stands it's just an undocumented feature.

It's great to rely on 'developer integrity' and all ya' know, but those developers are motivated by a need to generate a return. It's hard for anyone to expect a management team *not* to instruct a development team to extract said information and feed it into a marketing team. I've got two ideas for iPhone applications iWantYourMoney and iWantYourInformation supported by the iPwned you framework.

Seriously people it's like putting a 9 year old in front of a big red button with a sign under it saying 'Do not press this button' and saying to the kid 'Don't touch that button kid'. I'd expect the management teams to be saying 'what other user information can you extract'.

Re:Don't touch that button (1)

Trillan (597339) | more than 4 years ago | (#29586935)

Your analogy is flawed, in that there is no button.

That's not to say Apple shouldn't secure this. They should. But there's no button, and there's no sign. Undocumented means someone has poked through data downloaded from an unlocked phone to find where the phone number is stored.

Re:Don't touch that button (1)

MrKaos (858439) | more than 4 years ago | (#29588353)

Your analogy is flawed,

fair enough. Telling the kid that there might be a present up in that wardrobe somewhere and not to look for it. I was just making it up as I went along. But implementing that functionality inside the ifone would have taken a series of overview meetings, management decisions, implementation meetings and developer resources to achieve.

The bottom line is the functionality was there to be discovered as opposed to not there to be discovered. As such the discussion is about "securing the functionality" not about how to implement the functionality. It shouldn't be 'surprisingly easy' for an application to extract that data and transmit it.

Apple still didn't care about their users privacy, *they* were selective about who *they* decided *they* were going to share user with. From my limited understanding of the Android API it's a lot harder to extract that information from the google platform.

there is no button

There is no *spoon*

Cool story brah (1, Funny)

Anonymous Coward | more than 4 years ago | (#29586065)

"When a couple of voicemails didn't show up recently, I thought nothing of it until a friend asked me if I'd gotten his message â" people just don't call me that often."

wtf does this have to do with anything?

"But the iPhone is indeed a phone..."

Glad you set that up for us.

Another reason to (not) pirate? (1)

tlhIngan (30335) | more than 4 years ago | (#29586253)

It's well known that apps can detect when they've been pirated on the iPod Touch and iPhone (it's completely detectable, and works 100% since DRM'ed versions should not have the extra entries). In fact, these apps have been known to report back to the host practically everything about the device - UUID and other things (it was posted in one of the forums how to do this, and what you should do if you detect it).

Funny enough, the crackers have also discovered the apps doing this and work around it...

Nothing New Here (4, Informative)

leapis (89780) | more than 4 years ago | (#29586299)

I have written applications on just about every smartphone plaform, and I have never met an API did that did not have the ability to query the phone number of the device. Assuming you have a data plan (in many cases, the only way to get the app in the first place), its a tiny amount of code to post that information to a web page the first time the application runs. Some platforms, such as the Android, do indicate when an application has access to use the Internet, but its not trivial to find out exactly what information is going back and forth.

This issue has always been there, and is no more of a problem on an iPhone than other similar platforms.

Re:Nothing New Here (1)

Santzes (756183) | more than 4 years ago | (#29587015)

There usually is an API to query own phone number from the SIM, but I've never seen a SIM card with own number saved. It has just been empty on operators I've used. I don't know about SIM cards issued by operators in USA though.

Re:Nothing New Here (1)

jacers2002 (1643823) | more than 4 years ago | (#29587811)

But would it not be illegal for the company of the application to call you. I would think it falls under the telemarketing act where companies can't call you cell phones. If it does not fall under this then I think a law needs to be created. I know I wouldn't like a company to call me after I downloaded there application. It's kind of like the same as then emailing you after you buy something.

Because you can doesn't mean you should (1)

topham (32406) | more than 4 years ago | (#29586319)

Because you can, doesn't mean you should.

You ask the user for their identifying information, if they don't willingly give it, you stop there.
Period. Anything else is a great way to get permanently blacklisted. Seriously stupid mistake.
(Never mind that in North America that solicitation calls on a cellphone are seriously frowned upon)

Where's the official reaction? (0)

Anonymous Coward | more than 4 years ago | (#29586371)

Okay, so applications have access to phone number & address book, but sending that private information back to the application developer crosses the line drawn by the Apple Customer Privacy Policy.

That's cracking - this should qualify as illegal anywhere that has cracking legislation. Also it breaks the in-house rules, so Apple should have yanked it from the App Store already. That's the whole point of App Store - to give them control over what goes on the phone.

This is Apple's problem, and they should press charges while they're at it.

Explicitly unacceptable application behavior (1)

cybereal (621599) | more than 4 years ago | (#29587129)

This behavior is explicitly unacceptable. The fact that it has been done is a failing of the app review process. It's also possible that the developers went to great lengths to hide this behavior (such as setting it up to only happen when a particular flag is flipped on on the server so that it wouldn't happen during review processes.) As a registered iphone developer who actually reads his agreement documentation, I can assure you this particular issue is specifically addressed. The application in question must make a best effort to ask the user's permission about divulging data from the device, of any kinda, to a remote server. They also must make a best effort to do so securely.

Any violation of that requirement is grounds for app store rejection. I'll be surprised if this app isn't pulled right away, unless of course, it explicitly asks your permission to do what it's doing, in that case, I'm not at all shocked at slashdot posting a non-news story of an app doing what it says it will do.

I guess we'll see.

....people just don't call me that often (2, Funny)

mevets (322601) | more than 4 years ago | (#29587551)

.... and the iPhone fixed that. Is there anything that phone can't do?

Some dumb guy (0)

Anonymous Coward | more than 4 years ago | (#29587557)

Any desktop app can grab your address book info and send it on, too. This is what happens when you use other people's software. It's hardly unique to the iPhone.

wait a minute here (1)

joocemann (1273720) | more than 4 years ago | (#29587587)

if the company states that Apple gives them the information, and that turns out to be untrue... can we get a hearing for deliberate deception or fraud here?

How about a moment of honesty here.

Let me guess, supreme court rulings support the ability of businesses to deceive people.

ugh... we need a revolution.

Au Contraire!!! (1)

jddeluxe (965655) | more than 4 years ago | (#29587895)

Virtually EVERY development ecosystem, "smartphone" or not, to include most all cellular handset J2ME implementations have some sort of "sysinfo"/"sys_parameters" API from which you can extract the MDN (number) of the handset on which the application is being run.

If you don't understand WHY, you're too stoopid to comment on this thread..

So it's NOT like some nefarious plan from Apple...

Look, but don't touch (1)

spaceyhackerlady (462530) | more than 4 years ago | (#29588165)

Every mobile platform I've ever used gives applications read-only access to basic phone parameters. There is nothing new here. Knowing your phone number, knowing battery status, knowing if you're in coverage - all useful information. What the developers are doing with it in this case is highly questionable, but it's always there.

Actually manipulating the call progress from an application is a privileged operation, as it should be. I encountered this in a Brew application where I wanted to examine the caller ID on incoming calls. I couldn't programmatically reject the call (privileged!), so I programmed the other end to let the phone ring a couple of times then hang up.

...laura

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>