Don’t store passwords in the Contacts app

In light of the recent Facebook data harvesting incident, I took a closer look at developer access to the Contacts app in macOS and iOS. The first time you open a third-party application that wants access access to your contact info, you’ll get a prompt asking for your permission. It’s bad enough that the app will then have access to all of your contacts’ names, addresses, phone numbers, birthdays, and email addresses. What may not be obvious is that the third-party application will also have access to the note field in each contact record. This field is often used as a convenient place to jot down miscellaneous information. Unfortunately, it is not unheard of for users to store passwords and/or other sensitive data in this field.

Once application developers have access to Contacts, the data could be uploaded to their servers. What’s done with the data in the cloud boils down to what’s stated in their privacy policy and their adherence to it. So in short, don’t put any sensitive data in Contacts!

I’d advise you to take a look at which apps have requested access to Contacts. You might be surprised. You’ll be able to turn off the apps’ access to Contacts, but once data is in the cloud, deleting it may pose a significant challenge. Here’s where to find the Contacts privacy settings in iOS and macOS:

iOS: Settings -> Privacy -> Contacts

macOS: Security & Privacy -> Privacy -> Contacts

There are good solutions for managing passwords and sensitive data, such as 1Password. If you don’t want to spend money on a password manager, there is a secure manager built into Safari. For jotting down notes, use the Notes app. Third-party developers cannot access data in the Notes app, to the best of my knowledge. Also, individual notes can be locked (encrypted) in the Notes app with a personal password.

Update: iOS 13+ requires developers to get explicit permission from Apple to access notes in Contacts.

Leave a Reply

Your email address will not be published. Required fields are marked *