Sometimes an iOS app wants access to your Contacts — for good but sometimes, perhaps, bad reasons. Here’s how control which apps can read your iOS Contacts. And revoke permission if necessary.
Your Contacts are encrypted both in transit and while on Apple’s managed servers. In other words, end-to-end encryption. Here’s Apple’s note that explains: “iCloud security overview.” However, it’s important to note the following from Apple:
In some cases, your iCloud data may be stored using third-party partners’ servers—such as Amazon Web Services or Google Cloud Platform—but these partners don’t have the keys to decrypt your data stored on their servers.
End-to-end encryption requires that you have two-factor authentication turned on for your Apple ID. Keeping your software up-to-date and using two-factor authentication are the most important things that you can do to maintain the security of your devices and data.
Inside The iPhone
When you’ve logged into your iPhone, you can see your Contacts because, of course, the data is decrypted. But that’s also true if you grant 3rd party apps access. iOS will alert you if an app wishes to access your Contacts. You can, and probably should, deny access until you’ve determined a legitimate, pressing need.
Typical Apps that request access are 3rd party contacts managers and communication apps, like Skype, that have an address book but don’t want to duplicate what you’ve already built up in your own Contacts. I typically endure the inconvenience of denying access for the sake of security. Also, some games will ask for access, with seeming innocent intent, to help you connect better with friends. This could also be perilous. Here’s why.
When an app accesses your contacts, be aware that it’s not only looking at your friends and family phone numbers and addresses but also, for example, your doctor names and any personal health data you may have put in the Notes field. Or financial data like credit card or account numbers. Or ::gasp:: passwords. See: “People, Please Don’t Store Private Data In Your Address Book.”
As far as I know, Apple has no barrier or filter that blocks outgoing, uploaded Contacts data from any app. So if an app can access your Contacts, it could upload the entire unencrypted data file, in an instant, to its parent server/developer. There is no iOS blockage, notification or alert. [There should be.]
To control access to Contacts:
- Tap on iOS Settings.
- Scroll down and tap on Privacy.
- Tap on Contacts.
There you’ll see a list of all apps that have previously requested access to your Contacts and the current permission state. If you see one that needs its access revoked, you can drag the slider to the off position. Denying access to 3rd party apps will not keep your data from syncing via iCloud.
Note that if the app had been previously misbehaving, there may already be a compromise.
The next time an app asks for access to your Contacts, my advice is to immediately deny. Then, later, decide if you trust the app. These days, trust is hard to earn.
[Note: The above security discussion also applies to your iOS Calendar, etc.]