Why I worry that demanding permission before accessing contact data is too crude

Apple have said that they will soon be updating iOS to check for explicit permission before an app can have access to contact data.

Consider an app like Sandvox. Yes, it doesn’t ship on iOS, and Apple haven’t announced if the Mac will be receiving the same treatment, but there are plenty of legitimate reasons like ours to use the address book API on iOS. So:

When you create a new document/site in Sandvox, we look up your “Me” card in order to pre-populate the site’s title and footer. It’s a nice touch that makes the new site instantly feel more yours. Under the scheme Apple is proposing, this access would first require you to grant Sandvox permission to access your address book. It seems to me that at this point there’s then a variety of possible reactions:

  • Annoyance/fear: “Why I am I being bugged for this? What is the app going to do with my info?” — made even worse if the info turns out to be irrelevant to the site!
  • “I have no idea what this is for; I’ll just say OK like I do to all alerts” — pretty common (if bad) behaviour that we’d be serving to reinforce
  • “I have no idea what this is for; I don’t want to grant access” — we’ve now bugged the user to no gain
  • “Hopefully this is for something smart and innocuous, I’ll say yes”

Consider me sceptical, but I think the last of these is going to be fairly rare! It seems at this point the tiny gain of this Sandvox nicety would be outweighed by all the possible ways to annoy/confuse/upset customers.

Of course I suppose Apple could add some new API that lets us tell the user why access is requested. That seems a potential trojan nightmare though; the alert could be a complete lie! In theory the app store reviewers should be able to catch such behaviour — perhaps this API would only be available to app store apps?

When sandboxing starts being widely adopted, we have the beginnings of a solution to this for app store apps. Without the address book entitlement, apps are unable to use the entire API. It becomes a lot harder to sneak through an app that access the data in an inconspicuous way. But that won’t stop apps with a legitimate use for the data from abusing it, such as uploading to a server to keep.

Perhaps there could be two or more tiers of entitlement? This Sandvox feature only needs access to the “Me” card and a few fields. Apps like Path could have a different entitlement for access to hashed data only.

Who knows really? We’ll just have to wait and see what the future brings.

© Mike Abdullah 2007-2015