toggle

AAPL Stock: 101.92 ( + 2.16 )

Printed from http://www.macnn.com

Path app revised in light of new 'location tracking' issue

updated 08:14 pm EST, Fri February 1, 2013

User discovered EXIF 'backdoor,' company issues quick fix

On the same day as the social and photo-sharing app Path agreed to an $800,000 settlement with the Federal Trade Commission over its surreptitious uploading of users' contacts without their knowledge last year, a security researcher discovered a "backdoor" way of obtaining the same data by reading the EXIF location embedded in digital photos even if "location sharing" is explicitly turned off. Path says it was previously unaware of the issue and has already updated its iOS app to close the loophole.

By all accounts, Path was not using the EXIF data and was unaware that the workaround existed until it was pointed out. After facing a widespread public backlash when it was originally discovered to be helping itself to contact data from users' address books without user permission, Path rebuilt its base with an aggressive action plan to disavow and destroy all location data it had previously collected, along with an apology to users.

It explained that it had previously copied user contact data to allow the service to automatically connect people who already know each other together on the social network as a user's friends joined the service, similar to the way Facebook performs the same service (though Facebook uses a less-invasive method, and requires user interaction to make any changes).

The data-mining was and remains off-limits according to Apple developer guidelines, and CEO Tim Cook allegedly "grilled" Path co-founder and CEO Dave Morin in a face-to-face meeting when the contact-scraping was discovered and made public. Apple subsequently strengthened enforcement of the ban by forcing applications to explicitly ask for permission to access contacts or photos or other personal info, even if access to that information is an obvious part of the purpose of the app (for example, the "Find My iPhone" app still asks for permission to access a user's location data).

Having been burned by the overzealous privacy breach once, Path was quick to react when informed about the bug this time. It became obvious in the investigation that Path's original code had used EXIF data as a "fallback" when location data was not found, and that this backdoor had simply never been closed when the company began obeying Location Services settings.

Path Product Manager Dylan Casey reported back to researcher Jeffrey Paul and told him the company had changed the code to ignore EXIF tag location, and submitted a new version of the app with the change. Apple approved the new version in record time, and the update is already available on the App Store.

The company later clarified that if a photo were taking using the Path app, the photo has no location data at all if Location Services is turned off or location data permission has been denied. It was only photos taken with the Apple camera app or brought in from other sources that may have EXIF location data preserved. As part of its agreement with the FTC, Path has already said that it will not collect such info for users who are known to be under the age of 13, even if Location Services and location data permission has been granted.




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Plantronics Rig Surround 7.1 headset

Trying to capture the true soundscape of video games can be a daunting task. Looking to surround-sound home theater options, users hav ...

Kenu Airframe +

Simple, stylish and effective, the Kenu Aiframe + portable car mount is the latest addition to Kenu's lineup. Released earlier this y ...

Adesso Compagno X Bluetooth keyboard

The shift from typing on physical keyboards to digital versions on smartphones and tablets hasn't been an easy for many consumers. Fr ...

toggle

Most Commented