0

I do know how to ask permission for contact's list accessing, is a very simple implementation, also I know Apple checks all this in case of going live to the App Store.

I'm about to receive a AdHoc bundle to a third party client, very very picky with privacy issues and I want to be certain that you cannot in any possible way in iOS7 access to the the address book, without previous and clear authorisation, nor storing some file in local or sending it through a web-service.

If there's other sensitive information than a programmer can access without the operating system firewall please let me know as well.

I read some subroutines can go through...

QUESTION: Can a developer access to the addressbook or personal information, directly or indirectly using a third party API or subroutine to the personal data, without explicit permission? Is an AdHoc bundle as secure as an AppStore reviewed App in that case?

Please do not punish me with negative feedback if you are not interested in privacy issues or think was that obvious, actually Apple's documentation is not clear and is focused on AppStore, mostly.

Thanks!

rmaddy
  • 314,917
  • 42
  • 532
  • 579
Helen Wood
  • 1,872
  • 2
  • 26
  • 41
  • I think you should develop for a Jailbroken device, there everything is possible, Apple devices known for its securities and other stuffs, no one can invade inside. – iphonic Apr 07 '14 at 12:33
  • I don't think your question is very clear, please could you make it clearer. Also this has nothing to do with the `xcode IDE` please don't use that tag. – Popeye Apr 07 '14 at 12:35
  • Assuming the device isn't jailbroken, the security model and access controls are the same regardless of whether the app is delivered via the App Store or via ad-hoc/enterprise distribution. Ad-hoc distributed apps are not reviewed, so they can use private APIs or may behave in ways that would not pass review (e.g. excessive battery consumption, non-standard UI etc) – Paulw11 Apr 07 '14 at 12:36
  • No, actually I want to be sure privacy can't be broken, I mean the opposite to free access, in a normal environment. Jailbreak is not an option nor the case. – Helen Wood Apr 07 '14 at 12:37
  • So can I use a 3rd party API that may access without permission to personal data? There's any precedent about it? As far as your know... – Helen Wood Apr 07 '14 at 12:40

2 Answers2

23

This answer came up in every search I did trying to find, CNContactPickerViewController, so I figured I should respond for posterity.

In iOS 9 and later you can call CNContactPickerViewController to present a system controlled contact picker that doesn't require permission to access the user's contacts. You can't hoover up all their contacts, which is what the original question implied (and is super creepy), but at least you can prompt the user to select a contact (or multiple contacts), which is sufficient for many legitimate use-cases.

Docs

Aykhan Hagverdili
  • 28,141
  • 6
  • 41
  • 93
drbarnard
  • 2,957
  • 1
  • 15
  • 11
1

The Address Book cannot be accessed without permission. No third-party API can get in, because internally, these API's need to go through the same permission checks as you need to. No app can get into a user's address book without the user's permission.

This is because of a security issue that Path, and some other apps, uploaded its users' address books to their own servers to use for whatever reason. To read more about it, look here

After this surfaced, Apple required the user's permission to access the user's contacts. Apple's iOS platform is possibly the most secure operating systems today, and there are few security holes that exist in their API's (minus the goto fail; mess-up).

App Store reviewed apps are more secure for the user than Ad-Hoc apps. The developers at Apple make sure that you do not do anything malicious with the user's contacts. In Ad-Hoc apps, there is no checkup. So, if you wanted to do anything dirty with their contacts in an Ad-Hoc app, you technically could (if the user gives you permission at all). You do not need to state what you will be doing with the permission, and so you are able to take advantage of the user's trust in you.

If you want the company to trust the app, suggest that they look it over with their own reviewers. If they don't think you are doing anything fishy, you are good.

erdekhayser
  • 6,537
  • 2
  • 37
  • 69