Path’s popular social network app might seem like a fun way to share moments, but developer Arun Thampi has discovered that all may not be as it seems. Thampi discovered (via iMore) that Path uploads your entire iOS address book to their servers in plain, unencrypted text.
The concern here is obvious – this is a serious privacy and security issue, and is even more serious because the app neither asks permission nor notifies the user in any way that this is going on. Path CEO David Morin responded, suggesting that the data is used for connecting with your social contacts:
We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path. Nothing more.
But that’s hardly an acceptable answer, considering that the information is being updated and stored in plain unencrypted text. Morin argues that it is the “industry standard” to store such information that way.
It’s unlikely that the information is being stored and used for malicious purposes, but that fact that it was being uploaded and stored on Path’s servers without permission at all is concerning, especially considering that the information is not well secured.
Morin has since apologized, removed the data, and updated the app to make the feature available onto to those who choose to opt in.