The third-party apps on your iPhone, iPad, or iPod touch can access your contacts without your permission. Not only do they not need your permission, but they can still access your contacts even when explicitly denied the authority to do so.
So, when did I find out that your iOS device’s contacts are visible to your apps? Well, actually, I discovered this security flaw way back in October and subsequently published an article detailing the flaw in addition to a video proving that the flaw exists. After five long months of this issue being ignored by the mainstream media, now I’m trying to inform the public about this horrible hole in Apple’s software again. So, here I go.
I found this security flaw, which is of course still present in the latest versions of iOS in addition to the iOS 9.3 public beta, in the Microsoft Office apps when attempting to share documents. For example, in Microsoft Word, you’d see this issue after opening a Word document and tapping the share button in the top right corner of the screen. Then select “Invite People” and tap the encircled plus button in the screen that appears. Now here’s where Microsoft Word can access your contacts without your permission. See, if you tap “Don’t Allow,” you can still scroll through all of your contacts and even select a person to share the document with. So, if you don’t believe me that this vulnerability exists, you can go see it for yourself the same way I just did.
But, you may not really care about this security issue because, hey, your apps can only access your contacts right? Why does it matter? Well, it actually matters alot. Just think about all of the people in your contacts: your friends, coworkers, family members, even your boss, and you definitely don’t want to upset your boss. Then think about all of the these people’s personal information that is stored in your contacts: their names, addresses, emails, phone numbers, birthdays, and the list keeps going on and on. So, yeah, this seemingly miniscule vulnerability is kind of a big deal.