SAN FRANCISCO • Apple changed its App Store rules last week to limit how developers use information about iPhone owners' friends and other contacts, quietly closing a loophole that lets app makers store and share data without many people's consent.
The move cracks down on a practice that has been employed for years.
Developers ask users for access to their phone contacts, then use the information for marketing and sometimes share or sell it - without permission from the other people listed in those digital address books.
On both Apple's iOS and Google's Android, the largest smartphone operating systems, the tactic is sometimes used to juice growth and make money.
Sharing of friends' data without their consent is what got Facebook into so much trouble when one of its outside developers gave information on millions of people to Cambridge Analytica, the political consultancy.
Apple has criticised the social network for that lapse and other missteps, while announcing new privacy updates to boost its reputation for safeguarding user data.
They have a huge ecosystem making money through the developer channels and these apps, and until the developers get better on privacy, Apple is complicit.
MR DOMINGO GUERRA, president of Appthority, which advises governments and companies on mobile-phone security.
But it has not drawn as much attention to the recent change to its App Store rules.
As Apple's annual developer conference got underway on June 4, the Cupertino-based company made many new pronouncements on stage, including new controls that limit tracking of Web browsing.
But the iPhone maker did not publicly mention updated App Store Review Guidelines that now bar developers from making databases of address-book information from iPhone users.
Sharing and selling that database with third parties is also now forbidden. And an app can't get a user's contact list, say it's being used for one thing, and then use it for something else - unless the developer gets consent again. Anyone caught breaking the rules may be banned.
When users install apps and then consent, developers get dozens of potential data points on people's friends. That is a trove of information that developers have been able to use, beyond Apple's control.
In the years following the launch of the App Store in 2008, contact-list abuse surfaced from time to time and, in 2012, Apple added a way for users to explicitly approve their contacts, photos, location information, and other data being uploaded by developers.
Some apps, including Uber and Facebook, let users remove contacts that have been uploaded. Even so, there's no mechanism to do that for all apps that have been installed on an iPhone.
Aside from that, Apple's rules on contact lists have remained relatively consistent for a decade. Apple said last week that developers have generated US$100 billion (S$134 billion) since the App Store launched.
The company typically takes 30 per cent of app revenue and runs search ads in its App Store.
"They have a huge ecosystem making money through the developer channels and these apps, and until the developers get better on privacy, Apple is complicit," said Mr Domingo Guerra, president of Appthority, which advises governments and companies on mobile-phone security. "When someone shares your info as part of their address book, you have no say in it, and you have no knowledge of it."
While Apple is acting now, the company cannot go back and retrieve the data that may have been shared so far. After giving permission to a developer, an iPhone user can go into their settings and turn off apps' contacts permissions. That turns off the data supply, but does not return information already gathered.
The Google app store works in a similar way. On the company's help page about app permissions, under "Important", it says: "If you remove permission for an app, this action won't delete the info the app already has. However, the app cannot use new info or take actions from that point on."