Popular journal app Path uploads your personal contact information without notice

Well well… another day, another security issue with a popular mobile app. This time the culprit is a popular life journal app called Path.  Arun Thampi discovered that Path uploaded his entire address book (names, numbers, emails) to Path without his prior consent. Arun highlighted the fact that the app never asked for permission to upload this type of sensitive info to Path.

Path’s founder and CEO responded to Arun:

“We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and [efficiently] as well as to notify them when friends and family join Path.”

The CEO went on to say that a recent update for the Android version asked for permission to upload the address book (but it still was not done opt-in style). IOS users still don’t have the luxury of deciding. Regardless of what the company says from this point on, it will be seen as a reaction to the discovery rather than a real genuine interest by Path to inform its user and allow them to intelligently decide on what to do with their information.

In recent weeks, I had been testing Path and will discontinue its use based on this new information. Companies have to learn that being upfront with their users is critically important and that protection of personal data is paramount.