Company calls customers in attempt to sell paid version of mobile app
mogoRoad, a real-time traffic monitoring tool available in Switzerland, several users claim to have received phone calls from the development company behind the mobile software. Reportedly, the company is asking the app owners if they would like to purchase the paid version of the application. While unsolicited sales calls are annoying and intrusive, the bigger issue here is how did the company get its customers' phone numbers to begin with? According to mogoRoad, the information came from Apple.Within iTunes' user ratings section of iPhone application
The recipients of the unwanted calls said that they were contacted a few weeks after the initial installation of the mogoRoad application. An operator would then try to sell them the paid version of the mobile software. If pressed as to how the company got access to their phone number, the operator would generally respond that the information was provided by Apple.
That seems unlikely since Apple does not provide this sort of private information to App Store developers nor does it provide direct access to that information via the iPhone SDK (software development kit), the tool used by developers to build their mobile apps.
Apple Doesn't Provide Phone Numbers, but They Do Provide Access
However, it's not entirely inaccurate of the company to say that Apple did provide them with the customers' phone numbers. Although Apple doesn't directly give out this info, they do provide a relatively easy way for any app developer to retrieve mobile numbers from the phone. In other words, Apple didn't give out the numbers in question, they just provided access to them.
Ars Technica from earlier this year, the process of doing so was described as "a shockingly easy thing to do:"Although mogoRoad won't admit it, the most likely explanation as to how they retrieved the phone numbers involves the use of an undocumented feature which allows any Apple iPhone/iPod Touch application to access the phone number of the device on which it is installed. In an article on tech blog
Apple sneaks in a hidden symbolic link between the app's sandboxed preferences and a global preferences property list...Peek in Library/Preferences with "ls -a". You'll find a symbolic link to /private/var/mobile/Library/Preferences/.GlobalPreferences.plist, which is where (among other items), you'll find a preference called SBFormattedPhoneNumber. This preference provides exactly what the name implies: the user's phone number formatted to the current locale.
In checking with multiple iPhone developers this morning, we confirmed that the trick still works as described above.
It's Not a Bug, It's a Feature
Believe it or not, this isn't actually a security hole in need of patching - it's more of a feature. "It's important to remember that perfectly legit applications can reach your phone number plus your entire address book as well," Ars Technica blogger Erica Sadun wrote back in January. "Applications can also obtain personal information from most of the iPhone file system..."
While the large majority of app developers out there would never do anything quite so nefarious as what mogoRoad did and undoubtedly wouldn't want to risk alienating their customers in this fashion, it's unsettling to know that they could. And every time you install a mobile app, you're putting yourself at risk.
As of now, Apple hasn't officially responded to requests for comment as to how they will proceed with regards to this situation, either to us or to the blog originally reporting this story, French site Mac4Ever. However, given that the development company has clearly abused an undocumented feature, that should be enough to get them booted out of the App Store...hopefully for good.
Many thanks to MacWord, which pointed us to this story.