MacNN | Path app revised in light of new 'location tracking' issue
Mac News Network View: Standard | Headlines | Categorized | Slim
Mac News Network
Mac News iPod News Reviews Forums
 

Desktop Headlines
Path app revised in light of new 'location tracking' issue
Friday, February 1, 2013 @ 8:14pm

On the same day as the social and photo-sharing app Path agreed to an $800,000 settlement with the Federal Trade Commission over its surreptitious uploading of users' contacts without their knowledge last year, a security researcher discovered a "backdoor" way of obtaining the same data by reading the EXIF location embedded in digital photos even if "location sharing" is explicitly turned off. Path says it was previously unaware of the issue and has already updated its iOS app to close the loophole.



By all accounts, Path was not using the EXIF data and was unaware that the workaround existed until it was pointed out. After facing a widespread public backlash when it was originally discovered to be helping itself to contact data from users' address books without user permission, Path rebuilt its base with an aggressive action plan to disavow and destroy all location data it had previously collected, along with an apology to users. It explained that it had previously copied user contact data to allow the service to automatically connect people who already know each other together on the social network as a user's friends joined the service, similar to the way Facebook performs the same service (though Facebook uses a less-invasive method, and requires user interaction to make any changes). The data-mining was and remains off-limits according to Apple developer guidelines, and CEO Tim Cook allegedly "grilled" Path co-founder and CEO Dave Morin in a face-to-face meeting when the contact-scraping was discovered and made public. Apple subsequently strengthened enforcement of the ban by forcing applications to explicitly ask for permission to access contacts or photos or other personal info, even if access to that information is an obvious part of the purpose of the app (for example, the "Find My iPhone" app still asks for permission to access a user's location data). Having been burned by the overzealous privacy breach once, Path was quick to react when informed about the bug this time. It became obvious in the investigation that Path's original code had used EXIF data as a "fallback" when location data was not found, and that this backdoor had simply never been closed when the company began obeying Location Services settings. Path Product Manager Dylan Casey reported back to researcher Jeffrey Paul and told him the company had changed the code to ignore EXIF tag location, and submitted a new version of the app with the change. Apple approved the new version in record time, and the update is already available on the App Store. The company later clarified that if a photo were taking using the Path app, the photo has no location data at all if Location Services is turned off or location data permission has been denied. It was only photos taken with the Apple camera app or brought in from other sources that may have EXIF location data preserved. As part of its agreement with the FTC, Path has already said that it will not collect such info for users who are known to be under the age of 13, even if Location Services and location data permission has been granted.

Comments on this Article
Print Friendly Version
Email to a Friend
Add MacNN to Your RSS Feeds
Buy from the Apple Store


Related Stories:

Most Recent Stories:

  • Google petitions FCC for NM desert testing of broadcast-capable drones - 4:39 PM EST
  • Home Depot transaction security reportedly ramshackle since 2008 - 3:08 PM EST
  • Former NBA star arrested for $14,000 theft through Apple EasyPay - 2:41 PM EST
  • New Oculus Rift 'Crescent Bay' headset shown, 'massive leap' over DK2 - 2:25 PM EST
  • Oculus Rift DK1 source code, schematics released as open source - 1:45 PM EST
  • Apple, HP slam patent troll with $3.6 million each in attorney fees - 12:37 PM EST
  • Briefly: Modbook Pro X Last Call campaign, Twitter for iPhone update - 11:48 AM EST

    Today's iPodNN Stories:
  • Oculus Rift DK1 source code, schematics released as open source - 1:45 PM EST
  • Google to reinvest in YouTube content, expand promotional efforts - 5:39 PM EST
  • Vodafone plans takeover of 140 Phones 4U stores, save 900 jobs - 3:33 PM EST
  • Nokia.com visitors in United Kingdom redirected to Microsoft site - 11:05 AM EST
  • Sony reveals SmartEyeglass headset prototype, releases SDK - 5:53 AM EST
  • No comments posted on this story yet. Please post yours.
    Your Comments
    In order to post comments, you must be a registered member of the MacNN Forums and logged in. Please login with your MacNN Forums username and password.

    MacNN Forums Login:

    MacNN Forums Password:

    Not a member of the MacNN forums? Register now for free.