If “Apple would never do this to their users”, then how is it that Apple provided the API which Path used to do this to their users, without requiring the users to give the app permission (as they do with, say, allowing an app access to a user's location)?
Because it requires 2 API's both of which have legitimate uses:
1.) Get the user's address book and 2.) upload it to a server.
Installing an application implies a higher level of trust than a web application. You can't prompt the user for every API that might have a nefarious use. Location data is also much more sensitive so it makes sense to prompt the user for that.
From the traction this story is getting, it sure looks like address book information is considered sensitive by a lot of people. Possibly on par with location data.
It's sensitive depending on what you're going to do with it. If you're a native app and you want to access it so that you can show me my address book in some unique way, then I don't want to be bothered giving permission. If you're a native app that's just a front end to some social network and you're going to shuttle it off to some big database in the sky, then maybe not.
The problem is that this isn't easily enforceable at the API level without the user having to make decisions. The right level of enforcement is at the app review stage.
> The problem is that this isn't easily enforceable at the API level without the user having to make decisions.
It's not enforceable even WITH the user having to make decisions. The user can not allow the app to upload one kind of data and disallow another (address book). You can only allow ANY upload or no upload at all.
Yeah, but then using apps would quickly descend into a horrible mess of deny/accept, confusing and scaring the user. The pop-up hell of windows would pale in comparison.
You'd have solved the problem, but created a horrible user experience instead.
Maybe I wasn't clear enough. I wanted to say that it's not possible to solve the problem by asking the user's permission because API does not allow you to ask for a permission to upload specific data (address book). So there is no way to prevent an app to upload your address book without totally preventing it to upload anything.
