MacNN | Path app revised in light of new 'location tracking' issue
Mac News Network View: Standard | Headlines | Categorized | Slim
Mac News Network
Mac News iPod News Reviews Forums
 

Desktop Headlines
Path app revised in light of new 'location tracking' issue
Friday, February 1, 2013 @ 8:14pm

On the same day as the social and photo-sharing app Path agreed to an $800,000 settlement with the Federal Trade Commission over its surreptitious uploading of users' contacts without their knowledge last year, a security researcher discovered a "backdoor" way of obtaining the same data by reading the EXIF location embedded in digital photos even if "location sharing" is explicitly turned off. Path says it was previously unaware of the issue and has already updated its iOS app to close the loophole.



By all accounts, Path was not using the EXIF data and was unaware that the workaround existed until it was pointed out. After facing a widespread public backlash when it was originally discovered to be helping itself to contact data from users' address books without user permission, Path rebuilt its base with an aggressive action plan to disavow and destroy all location data it had previously collected, along with an apology to users. It explained that it had previously copied user contact data to allow the service to automatically connect people who already know each other together on the social network as a user's friends joined the service, similar to the way Facebook performs the same service (though Facebook uses a less-invasive method, and requires user interaction to make any changes). The data-mining was and remains off-limits according to Apple developer guidelines, and CEO Tim Cook allegedly "grilled" Path co-founder and CEO Dave Morin in a face-to-face meeting when the contact-scraping was discovered and made public. Apple subsequently strengthened enforcement of the ban by forcing applications to explicitly ask for permission to access contacts or photos or other personal info, even if access to that information is an obvious part of the purpose of the app (for example, the "Find My iPhone" app still asks for permission to access a user's location data). Having been burned by the overzealous privacy breach once, Path was quick to react when informed about the bug this time. It became obvious in the investigation that Path's original code had used EXIF data as a "fallback" when location data was not found, and that this backdoor had simply never been closed when the company began obeying Location Services settings. Path Product Manager Dylan Casey reported back to researcher Jeffrey Paul and told him the company had changed the code to ignore EXIF tag location, and submitted a new version of the app with the change. Apple approved the new version in record time, and the update is already available on the App Store. The company later clarified that if a photo were taking using the Path app, the photo has no location data at all if Location Services is turned off or location data permission has been denied. It was only photos taken with the Apple camera app or brought in from other sources that may have EXIF location data preserved. As part of its agreement with the FTC, Path has already said that it will not collect such info for users who are known to be under the age of 13, even if Location Services and location data permission has been granted.

Comments on this Article
Print Friendly Version
Email to a Friend
Add MacNN to Your RSS Feeds
Buy from the Apple Store


Related Stories:

Most Recent Stories:

  • Giveaway: Trick or Treat! Win 1 of 3 Wicked Audio Deuce earbuds! - 11:28 PM EST
  • Android co-founder Rubin leaves Google to found hardware incubator - 10:29 PM EST
  • Kodak PixPro SP360 action cam records 360-degree video - 10:28 PM EST
  • Pirate Bay co-founder Gottfrid Svartholm Warg found guilty of hacking - 9:26 PM EST
  • Briefly: BookArc Stand for Mac Pro, Spotify for iPad updated - 8:13 PM EST
  • Zuckerberg: Oculus needs to sell 100 million units to be 'meaningful' - 7:13 PM EST
  • Giveaway: Trick or Treat! Win a Kaebo Lightning to USB cable! - 7:02 PM EST

    Today's iPodNN Stories:
  • Android co-founder Rubin leaves Google to found hardware incubator - 10:29 PM EST
  • Pirate Bay co-founder Gottfrid Svartholm Warg found guilty of hacking - 9:26 PM EST
  • Zuckerberg: Oculus needs to sell 100 million units to be 'meaningful' - 7:13 PM EST
  • Samsung Gear S heading to major US carriers from November 7 - 4:58 PM EST
  • Samsung stumbles in third quarter with reduced revenue, profit - 11:59 AM EST
  • No comments posted on this story yet. Please post yours.
    Your Comments
    In order to post comments, you must be a registered member of the MacNN Forums and logged in. Please login with your MacNN Forums username and password.

    MacNN Forums Login:

    MacNN Forums Password:

    Not a member of the MacNN forums? Register now for free.