It’s been a crazy few sleepless weeks as we ploughed through some pretty heavy tech problems, but it’s finally a reality. We are proud to take the covers off Action.IO. It’s days like these which make it all worth it, as I sit here with my friends at 3AM basking in all the love that we’re getting from our fellow developers. It is truly humbling.
We have some amazing stories to tell about all the code that has gone into action.io, but that is for another day. In the meantime, take a look at this walkthrough video, and sign up to be part of the future.
Also, would really appreciate some Hacker News love for our story (look for action.io on the homepage)
It’s taken us a while, but we’re happy to announce that the little side project we’ve been working on – an unofficial Path Client for OS X is live. What’s more it is open-source and is available under an MIT License on GitHub. You can read a more in-depth behind-the-scenes story here.
It’s been a challenge working on Denso as well as this side project, but I had a lot of fun working with Peter, Kent and AJ on this Journey ;) (no pun intended).
We think the Anideo Hackathon experiment has been a success and we hope to continue to host more hackathons and foster a culture of building good software here in Singapore.
Path has released a new version of the app which asks for permission before it sends your address book to its servers and has blogged about the episode.
Dave Morin, the CEO of Path has responded in the comments and I’ve pasted it below. As an aside – never in my wildest dreams did I imagine this to blow up like this. I hope we can keep calm and continue to discuss this sensibly.
Arun, thanks for pointing this out. We actually think this is an important conversation and take this very seriously. We upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and effeciently as well as to notify them when friends and family join Path. Nothing more.
We believe that this type of friend finding & matching is important to the industry and that it is important that users clearly understand it, so we proactively rolled out an opt-in for this on our Android client a few weeks ago and are rolling out the opt-in for this in 2.0.6 of our iOS Client, pending App Store approval.
Dave Morin Co-Founder and CEO of Path
It all started innocently enough. I was thinking of implementing a Path Mac OS X app as part of our regularly scheduled hackathon. Using the awesome mitmproxy tool which was featured on the front page of Hacker News yesterday, I started to observe the various API calls made to Path’s servers from the iPhone app. It all seemed harmless enough until I observed a POST request to https://api.path.com/3/contacts/add.
Upon inspecting closer, I noticed that my entire address book (including full names, emails and phone numbers) was being sent as a plist to Path. Now I don’t remember having given permission to Path to access my address book and send its contents to its servers, so I created a completely new “Path” and repeated the experiment and I got the same result - my address book was in Path’s hands.
I’m not insinuating that Path is doing something nefarious with my address book but I feel quite violated that my address book is being held remotely on a third-party service. I love Path as an iOS app and I think there are some brilliant people working on it, but this seems a little creepy. I wonder how many other iOS apps actually do the same…
The Trail of Events
As soon as you create a new account to Path, a call is made to https://api.path.com/1/users.plist with your first name, last name, gender and password. An plist is returned which contains the user’s ID as well as other information such as the date of creation.
This API call uses basic HTTP authentication (with a certain key) to obtain some metadata about myself - from the binary plist file it looks like it contains my first name, last name, cover photo, profile picture, etc.
This is the actual offending call which uploads my entire address book to Path.
This is followed by normal API calls which among others, updates my location, fetches my activity stream and tracks events within the app using Mixpanel.
How to do this at home
This has been tried out on Mac OS X Lion 10.7.2.
Download the mitmproxy tool and set it up by going to the folder of mitmproxy and running sudo python setup.py install. If all goes well, mitmproxy must be available in your $PATH.
Start mitmproxy by running mitmproxy.
Obtain the IP address of your computer by running ifconfig en1 (or whatever is the interface that you are using).
Set the proxy on your iPhone by going to your wireless settings, setting the proxy to be “Manual”, and set the IP to be your computer’s IP and the port as 8080.
Decided to give my blog a fresh coat of Bootstrap paint. I used Bootstrap for a small project called muxx.it earlier this month and loved it — it is definitely one of the best pieces of software to come out this year (especially for design-sense-challenged folks such as myself).
The main reason I wanted to re-design my blog was that I’ve been meaning to pen a year-end of review of what’s been quite a roller-coaster twelve months. I didn’t want to publish something on what was quite frankly, an ugly and dated site, and so here we are.
Hopefully I’ll get down to writing my year-end review in the next couple of days.
I gave a quick presentation yesterday at the June installment of the Singapore Ruby Brigade held at HackerspaceSG. As always, SRB is a great place to meet people and catch up with all the great work that’s going on here. Many thanks to Jason for organising the monthly meetups and to Zhenyi for his camerawork yesterday which has brought SRB June online.
It was also great to listen to Ming Yeow and his experiences (both the highs and the lows) while building MrTweet as well as experiencing every layer of the ‘startup stack’ (as he put it) such as product management, fund raising, hiring and networking. For a person who’s been three months into a startup, his talk definitely gave some good pointers as well as validation for the processes we’ve already implemented.