AdiOS: Say Goodbye to Nosy iPhone Apps


Over the past week there have been a few big stories on iOS apps transmitting users’ address books as a convenience feature. Apple has even found themselves on the congressional hot seat this week about their device’s address book privacy. AllThingsD reports that Apple, faced with growing criticism that they have given iOS developers far too much access to private data without requiring a user prompt, has pledged that apps dumping address book data will soon require explicit user permission to do so.

Dieter Bohn at The Verge states the problem best: “Any iOS app has complete access to a large amount of data stored on your iPhone, including your address book and calendar. Any iOS app can, without asking for your permission, upload all of the information stored in your address book to its servers. From there, the app developer can either use it to help find your friends, store it in perpetuity, or do any number of other things with it.”

Introducing AdiOS

To find out how many of my iPhone apps were dumping the address book, I put together a utility called AdiOS (Addressbook Detector for iOS) that lets Mac users scan the iOS apps in your iTunes directory to see if they have the potential to dump your phone book externally. AdiOS detects apps that access your entire address book, by using a binary grep to look for use of the ABAddressBookCopyArrayOfAllPeople API call. AdiOS quickly and easily finds all the apps that have the potential to violate your privacy. It could also be used to see if your apps are complying with the new policies Apple is rolling out around protection of Address book information.

Using AdiOS to Audit Your Privacy

AdiOS allows Mac users to see what apps have potential privacy problems. Using AdiOS is easy. Just download AdiOS, unzip, double click on AdiOS.app, and let it run. If you have a few hundred apps, it’ll take a couple minutes to complete.

Output will look something like this:

What We Discovered

A few of us in Veracode just tested AdiOS on our own machines. Of the roughly 450 iOS apps on my Mac, 50 of them appear to call ABAddressBookCopyArrayOfAllPeople. That by itself doesn’t mean the app is transmitting any data, or doing so behind your back, but it does raise questions. Angry Birds does it. Citibank does it. Several Google apps do it. A number of lesser-known games do it, too. Why do all of these apps need to dump my entire address book? The quantity of apps with this ability really caught us off guard.

Most apps that have email functionality (e.g. “send this to a friend”) wouldn’t ever need to use ABAddressBookCopyArrayOfAllPeople. They could just use the standard view controller for contact info, the ABPeoplePickerNavigationController. If they wanted a custom UI for the picker, then they have no choice but to dump the address book.

In order to check whether the app is actually transmitting the address book information, you’d need to perform a full static analysis, or a manual test using a tool such as mitmproxy.

Don’t Panic!

Lots of apps access your whole contact list for legitimate reasons! Social networking apps do it so you can make connections. Maps/directions/GPS apps do it for convenient access to all of your friends’ addresses. Many games do it so that you can “share your highscores”, etc. But still, it’s interesting to see which apps have the potential to do what with your personal address book data.

Should We Really Be Surprised?

Talking to the Veracode Research team about this iOS address book madness, the consensus was that none of this should come to a surprise to anyone who’s been following mobile development or security research for mobile platforms.

At Veracode, we’ve already detected this issue in some of the mobile applications that we’ve scanned for our customers. More importantly, we can automatically determine if the app is actually transmitting the address book information once it has been retrieved. Obviously that requires much deeper analysis than this quick binary grep tool can provide! The deep static binary analysis service that we offer our customers uses data flow graphs to connect the output of ABAddressBookCopyArrayOfAllPeople with downstream network APIs in order to confirm a privacy leak.

Along with running AdiOS, consumers of mobile apps should ask their providers to perform binary static analysis on the apps they offer.

fG! | February 16, 2012 12:54 pm

It’s very probable that someone already asked for this, but a final summary about the total number of each type would be great!

Nice app :-)

DB | February 16, 2012 1:31 pm

Any explanation for the Indiv/All column entries? If it’s an I, does that mean the app is not accessing all your address book entries? Or what?

Stephen Wilson (@Steve_Lockstep) | February 16, 2012 1:34 pm

“Talking to the Veracode Research team about this iOS address book madness, the consensus was that none of this should come to a surprise to anyone who’s been following mobile development or security research for mobile platforms”.

This could be an interesting example of the gap between software developers and the public (and policy makers) over privacy. In my view, most of the public — even the technologically informed public — would indeed be surprised to know any old app can (and many do) access their contact lists. So for developers to not be surprised may indicate a different way of looking at privacy.

Conversely, what probably _will_ surprise many technologists is that under black letter privacy law in Europe, Australia and other places, it would be an offence to access contact information without a good reason and/or user consent, let alone to do it without any notice at all. As suggested in the article, it’s hard to imagine why many of these apps have any cause at call ABAddressBookCopyArrayOfAllPeople.

Developers sometimes seem to think that if information is accessible to them, then it’s fair game. The classic example was the collection of wifi transmissions by Google Street View cars. Many at the time said that if data is in the “public domain” then it’s free to be collected and used. And they were very surprised indeed to learn that their assumption is simply wrong at law. Many privacy laws are generally blind to where Personally Identifiable Information is collected. If information is identifiable, and if you have no business holding it, then you’re not allowed to. It’s black and white.

The offence is especially serious when the PII concerned is about thrid parties (i.e. my contacts) who have had no say at all in the way that an app is collecting it from me.

See http://lockstep.com.au/blog/2011/01/26/public-yet-still-private.html

Chris Eng | February 16, 2012 1:46 pm

@DB: The “All” checks for API calls that dump the entire addressbook. That includes ABAddressBookCopyArrayOfAllPeople and all its variants (e.g. ABAddressBookCopyArrayOfAllPeopleInSource). The “Indiv” checks for any addressbook related API calls, that is, anything starting with ABAddressBook.

Also worth noting: a developer could use an iterator around individual addressbook lookups to effectively accomplish the same thing as ABAddressBookCopyArrayOfAllPeople without actually calling that function. Detecting that scenario would require full static analysis; AdiOS will report something like that as “Indiv”.

Doug Grinbergs | February 16, 2012 8:42 pm

Somewhat surprised that running grep produces many less files than the AdiOS app shows (43):

$ cd ~/Music/iTunes/Mobile Applications; grep ABAddressBook *.ipa | nl
1 Binary file AirPort Utility 1.0.ipa matches
2 Binary file Apple Store 110366.ipa matches
3 Binary file Classifieds.ipa matches
4 Binary file Evernote 4.1.7.ipa matches
5 Binary file Google 1.0.1.ipa matches
6 Binary file LinkedIn 12.0.ipa matches
7 Binary file Obama ’08.ipa matches
8 Binary file iCabMobile 5.3.ipa matches

(there are 200 apps in the directory)

just me | February 17, 2012 1:23 am

The app does not work if the iTunes library has been relocated. Please fix.

Chris Eng | February 17, 2012 11:36 am

@Doug: Try unzipping the .ipa files before doing the grep.

AdiOS: Say Goodbye to Nosy iPhone Apps | iPhone And iPad News | February 17, 2012 5:27 pm

[...] scan the iOS apps in your iTunes directory to see if they have … … The rest is here: AdiOS: Say Goodbye to Nosy iPhone Apps ← iPhone Losing Market Share in China | WebProNews iPole & Mini iPhone Review by [...]

The unrighteous ‘Path’ | ManaSlam | February 17, 2012 7:06 pm

[...]  I just discovered this website while browsing my flipboard: AdiOS. While the damage is probably already done in most cases, this software can help you detect [...]

自分のアドレス帳に秘かにアクセスしているアプリが分かるAdiOS | February 17, 2012 11:29 pm

[...] 例のアドレスゲート事件で、モバイルのアプリがユーザのアドレス帳をおいしそうに舐めていることを知ったあなたは、今おびえているかな? そんなあなた向きの、無料のMacアプリAdiOSは、iOSアプリがユーザの電話帳やメールのアドレス帳にアクセスできるか否かを数秒で判定してくれる。そのアドレス帳などを、アプリがどうやってどこへ送信しているのか、それは分からないけど、とにかく、それらにアクセスしているアプリは削除すべきだろう。 [...]

Solydaritas Forever | February 18, 2012 5:44 am

[...] Address-gate have you terrified that your mobile apps are secretly slurping up your address book? AdiOS is a free new Mac program that in seconds detects which of your iOS apps have the ability to access [...]

Aughavey Computers - Aughavey Computers Cookstown | February 18, 2012 12:32 pm

[...] Address-gate have you terrified that your mobile apps are secretly slurping up your address book? AdiOS is a free new Mac program that in seconds detects which of your iOS apps have the ability to access [...]

Today’s Links « Great apps | February 18, 2012 12:45 pm

[...] Address-gate have you terrified that your mobile apps are secretly slurping up your address book? AdiOS is a free new Mac program that in seconds detects which of your iOS apps have the ability to access [...]

谁在上传你的通讯录?AdiOS 知道 - 爱范儿 · Beats of Bits - 发现创新价值的科技媒体 | February 18, 2012 10:06 pm

[...] 自社交网络诞生以来隐私问题越来越被用户重视,尤其是移动互联网的兴起,隐私问题愈演愈烈。闹的满城风雨的 Path 上传通讯录问题刚刚过去,谷歌又被华尔街日报指责追踪用户浏览记录。最近,安全公司 Veracode  发布一款能让 Mac 用户便捷查看 iOS 系统上传通讯录的应用软件:AdiOS。 [...]

贝塔先生 » 谁在上传你的通讯录?AdiOS 知道 | February 18, 2012 10:09 pm

[...] 自社交网络诞生以来隐私问题越来越被用户重视,尤其是移动互联网的兴起,隐私问题愈演愈烈。闹的满城风雨的 Path 上传通讯录问题刚刚过去,谷歌又被华尔街日报指责追踪用户浏览记录。最近,安全公司 Veracode  发布一款能让 Mac 用户便捷查看 iOS 系统上传通讯录的应用软件:AdiOS。 [...]

谁在上传你的通讯录?AdiOS 知道 « 清泉石上流 | February 18, 2012 10:17 pm

[...] 自社交网络诞生以来隐私问题越来越被用户重视,尤其是移动互联网的兴起,隐私问题愈演愈烈。闹的满城风雨的 Path 上传通讯录问题刚刚过去,谷歌又被华尔街日报指责追踪用户浏览记录。最近,安全公司 Veracode  发布一款能让 Mac 用户便捷查看 iOS 系统上传通讯录的应用软件:AdiOS。 [...]

谁在上传你的通讯录?AdiOS 知道 | IT & 数码 | February 19, 2012 1:26 am

[...] 自社交网络诞生以来隐私问题越来越被用户重视,尤其是移动互联网的兴起,隐私问题愈演愈烈。闹的满城风雨的 Path 上传通讯录问题刚刚过去,谷歌又被华尔街日报指责追踪用户浏览记录。最近,安全公司 Veracode  发布一款能让 Mac 用户便捷查看 iOS 系统上传通讯录的应用软件:AdiOS。 [...]

James Seward | February 19, 2012 7:10 am

I used:

for i in *.ipa; do; if (unzip -p $i | grep ABAddressBookCopyArrayOfAllPeople > /dev/null); then; echo $i; fi; done

in my Mobile Applications directory to work around AdiOS not working with a relocated iTunes folder. (It also didn’t work when I symlinked it back into the right place.)

James Seward | February 19, 2012 7:19 am

(That’s a zsh script, by the way.)

谁在上传你的通讯录?AdiOS 知道 | 橙味网 | February 19, 2012 7:47 am

[...]   自社交网络诞生以来隐私问题越来越被用户重视,尤其是移动互联网的兴起,隐私问题愈演愈烈。闹的满城风雨的 Path 上传通讯录问题刚刚过去,谷歌又被华尔街日报指责追踪用户浏览记录。最近,安全公司 Veracode  发布一款能让 Mac 用户便捷查看 iOS 系统上传通讯录的应用软件:AdiOS。 [...]

Bob Webster | February 19, 2012 9:06 am

How do I get AdiOS to work if my iTunes library has been relocated to an external drive? Thanks kindly for the help.

Josh | February 20, 2012 8:03 am

It would be handy if there were a wiki that people could add their results to and say why they trust the app or not. Or maybe a Google Doc, or something.

Royce Eddington | February 20, 2012 11:13 am

I can confirm the app does NOT work if the iTunes directory (itunes / Mobile Applications) is on a external drive. Please fix! Thanks!!

AdiOS!!! › HappyBuddha | February 20, 2012 12:26 pm

[...] App prinzipiell auf euer Adressbuch zugreifen kann? Und kein Plan, wo ihr das nachschlagen könnt? AdiOS hilft [...]

Privacy is dead | February 20, 2012 1:18 pm

[...] below) but is an increasing problem. I wanted to know just how bad it is. So I ran a utility called AdiOS that scans iTunes app purchases and reports which apps can send information from iOS Contacts from [...]

offroadbiker | February 21, 2012 1:32 pm

@Mark Kriegsman
Doesn’t work if the directory is on:
/Users/Shared/Music/iTunes

How is it possible to change the directory?
PLS HELP!

谁在上传你的通讯录?AdiOS 知道 | 曹志士 | February 25, 2012 5:40 am

[...] 自社交网络诞生以来隐私问题越来越被用户重视,尤其是移动互联网的兴起,隐私问题愈演愈烈。闹的满城风雨的 Path 上传通讯录问题刚刚过去,谷歌又被华尔街日报指责追踪用户浏览记录。最近,安全公司 Veracode  发布一款能让 Mac 用户便捷查看 iOS 系统上传通讯录的应用软件:AdiOS。 [...]

Max | May 24, 2012 5:04 am

I don´t see a list of compromised apps.
It doesn´t work unter snow leopard….:-(((

» Cool Websites and Tools [June 3rd 2012] | betaSir - We love software | July 4, 2012 5:20 am

[...] AdiOS – You’ve probably heard about the Path situation and how they got called out by users and industry alike for accessing users’ address books and uploading contacts to their servers without their knowledge. AdiOS is an app for Macs that wants to show you all the iOS apps that are accessing your address book. This is a Mac app, so it can only access iOS apps from iTunes. Read more: AdiOS: See Which iOS Apps Are Peeking Into Your Address Book [Mac] [...]

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

RSS feed for comments on this post