28 Feb 2012 – Singapore
It’s taken us a while, but we’re happy to announce that the little side project we’ve been working on – an unofficial Path Client for OS X is live. What’s more it is open-source and is available under an MIT License on GitHub. You can read a more in-depth behind-the-scenes story here.
It’s been a challenge working on Denso as well as this side project, but I had a lot of fun working with Peter, Kent and AJ on this Journey ;) (no pun intended).
We think the Anideo Hackathon experiment has been a success and we hope to continue to host more hackathons and foster a culture of building good software here in Singapore.
Real Artists Ship.
8 Feb 2012 – Singapore
[Update #2]
Path has released a new version of the app which asks for permission before it sends your address book to its servers and has blogged about the episode.
[Update #1]
Dave Morin, the CEO of Path has responded in the comments and I’ve pasted it below. As an aside – never in my wildest dreams did I imagine this to blow up like this. I hope we can keep calm and continue to discuss this sensibly.
Arun, thanks for pointing this out. We actually think this is an important conversation and take this very seriously. We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path. Nothing more.
We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.
Dave Morin
Co-Founder and CEO of Path
[Original Post]
It all started innocently enough. I was thinking of implementing a Path Mac OS X app as part of our regularly scheduled hackathon. Using the awesome mitmproxy tool which was featured on the front page of Hacker News yesterday, I started to observe the various API calls made to Path’s servers from the iPhone app. It all seemed harmless enough until I observed a POST request to https://api.path.com/3/contacts/add.
Upon inspecting closer, I noticed that my entire address book (including full names, emails and phone numbers) was being sent as a plist to Path. Now I don’t remember having given permission to Path to access my address book and send its contents to its servers, so I created a completely new “Path” and repeated the experiment and I got the same result – my address book was in Path’s hands.
Disclaimer: I’m not insinuating that Path is doing something nefarious with my address book but I feel quite violated that my address book is being held remotely on a third-party service. I love Path as an iOS app and I think there are some brilliant people working on it, but this seems a little creepy. I wonder how many other iOS apps actually do the same…
The Trail of Events
1.https://api.path.com/1/users.plist
As soon as you create a new account to Path, a call is made to https://api.path.com/1/users.plist with your first name, last name, gender and password. An plist is returned which contains the user’s ID as well as other information such as the date of creation.
2.https://api.path.com/3/moment/feed/home?all_friends=1
This API call uses basic HTTP authentication (with a certain key) to obtain some metadata about myself – from the binary plist file it looks like it contains my first name, last name, cover photo, profile picture, etc.
3.https://api.path.com/3/contacts/add
This is the actual offending call which uploads my entire address book to Path.
This is followed by normal API calls which among others, updates my location, fetches my activity stream and tracks events within the app using Mixpanel.
How to do this at home
This has been tried out on Mac OS X Lion 10.7.2.
- Download the mitmproxy tool and set it up by going to the folder of mitmproxy and running
sudo python setup.py install. If all goes well, mitmproxy must be available in your $PATH.
- Start mitmproxy by running
mitmproxy.
- Obtain the IP address of your computer by running
ifconfig en1 (or whatever is the interface that you are using).
- Set the proxy on your iPhone by going to your wireless settings, setting the proxy to be “Manual”, and set the IP to be your computer’s IP and the port as 8080.
30 Dec 2011 – Singapore
Decided to give my blog a fresh coat of Bootstrap paint. I used Bootstrap for a small project called muxx.it earlier this month and loved it — it is definitely one of the best pieces of software to come out this year (especially for design-sense-challenged folks such as myself).
The main reason I wanted to re-design my blog was that I’ve been meaning to pen a year-end of review of what’s been quite a roller-coaster twelve months. I didn’t want to publish something on what was quite frankly, an ugly and dated site, and so here we are.
Hopefully I’ll get down to writing my year-end review in the next couple of days.
24 Jun 2010 – Singapore
I gave a quick presentation yesterday at the June installment of the Singapore Ruby Brigade held at HackerspaceSG. As always, SRB is a great place to meet people and catch up with all the great work that’s going on here. Many thanks to Jason for organising the monthly meetups and to Zhenyi for his camerawork yesterday which has brought SRB June online.
It was also great to listen to Ming Yeow and his experiences (both the highs and the lows) while building MrTweet as well as experiencing every layer of the ‘startup stack’ (as he put it) such as product management, fund raising, hiring and networking. For a person who’s been three months into a startup, his talk definitely gave some good pointers as well as validation for the processes we’ve already implemented.
My slides from yesterday are at Slideshare.
30 Apr 2010 – Singapore
The whole brouhaha about the openness (or lack thereof) of Apple and its evilness has had me confused for a while now. On the one hand, I really admire Apple’s gumption in taking on the behemoth that was the mobile phone industry, turning it around and winning in the marketplace because of its sheer awesomeness. On the other hand, the closed nature of the AppStore, the haphazard way in which Apple rejects apps and it’s borderline anti-competitive stance against Adobe and languages which are neither C or C++ have gone against the principles of openness of the Web – principles I firmly believe in.
That’s when the epiphany struck. Turn your clocks back to 2005, when a Danish guy with a funny accent demoed how easy it was to make an AJAX-powered blog in a shiny new web-framework called Ruby On Rails. While there were existing web frameworks at the time (Struts, Servlets, PHP et al), Rails changed the way you developed web applications. No more spaghetti SQL in your HTML templates, no more worrying about databases and no more figuring out how you can do AJAX (because Rails came with a snazzy DSL called RJS). For a developer who had no experience doing web applications and databases, Rails was a dream come true. It is my belief that Rails empowered a new generation of developers (and cross-over developers like myself) to get into web application development.
Even after a couple of years after the introduction of Rails, all was not well. It was still a bitch to deploy your web application. Ruby as a language was severely handicapped by poor performance, as compared to its other counterparts such as PHP and Python, which led to a lot of FUD that Rails can’t scale. The enterprise mocked Rails as a toy and not something you can build “serious” applications with. Even serious Rails developers complained that Rails forced you to tread the golden-path prescribed by DHH, and if you had to deviate from it, it certainly meant that you were entering a ball of hurt (Merb was a result of such a complaint).
Fast-forward to 2010, and look at how all-encompassing the Rails landscape has become. Ruby On Rails has become such a game-changer that there are multiple companies providing simple deployment solutions which enable you to deploy web applications to the cloud with the press of a button. Sun (sorry EngineYard), Microsoft, Smalltalk and Apple have multiple implementations of Ruby all conforming to a single spec. The fact that Microsoft (and the erstwhile Sun) is pushing for IronRuby to become a part of the .NET suite is certainly proof that Ruby is ready for the enterprise. And, Merb itself is being merged into Rails 3 to address concerns of modularity, while still maintaining the Rails ethos of convention over configuration and sensible defaults.
So, on to the iPhone. The iPhone has changed the mobile phone in a similar way to how Rails changed the world for web developers. Can you imagine being able to distribute applications to mobile phones and actually make money off it before 2008? Can you imagine the mobile internet being mainstream before the iPhone? The iPhone is still a relative child in “technology-years”. Call me naive but in my opinion, the iPhone platform is not evil, it’s just young and immature. Distractions such as the dogmatic App Store and the perceived anti-competitiveness are growing pains. Apple and the iPhone have been able to do so much more than so many other mobile phone companies in the last 20 years. So give it some time.
I understand that there are crucial differences between the stories of Rails and the iPhone – the number one being that Rails itself was open-source and thus is the exact opposite of the iPhone/iPhone OS. But the whole Rails 3 project shows the ability of the Rails Core (and DHH) to admit that Rails is not perfect and that it’s willing to adapt and keep ahead of the competition. They realised that it’s not just enough that Rails is easy to use, it now has to be both powerful and modular and easy to use. They felt that it was now mature and mainstream enough (in that there were enough Rails copycats) that they needed to raise the bar again.
Similarly, it’s absurd to think that the iPhone and it’s associated ecosystem will not adapt to how users view their mobile phones in a few years time. The mobile web will be more mature by then and mobile operating systems and hardware will have advanced to such a stage that it would make my MacBook Pro feel like a calculator from the 80s. Most importantly, more people will begin to see mobile phones as information/communication appliances and not just devices used to make calls. It’s in Apple’s best interests to adapt and keep raising the bar, and it is my belief that they will.