While we wait patiently for word that Skype for Windows Phone is finally ready, it's natural that we would also get distracted by mobile apps that are similar to, but not the same as, Skype. One such app, Tango, was released on Windows Phone this week. And aside from bearing an uncomfortably identical name to the next Windows Phone OS update, this app also raises some uncomfortable questions.
My Windows Secrets co-author, Rafael Rivera, took a look at Tango and discovered that the app is secretly sending your entire contacts list to the little company's servers, without warning that it is doing so. According to Rivera, after installing and running Tango, the app uploads your phone's address book--which could be aggregated from multiple accounts--to Tango's servers. After the fact, you can go and find a "Save Address Book" option that, when enabled, copies your account to the server. But that option is enabled by default.
(Tango confirmed this behavior. According to the company, if you change this option to Off, your contacts information is purged from their servers.)
So that's a problem. But a bigger problem in my mind is that Tango is one of a small but growing number of Windows Phone apps that have special, Microsoft-sanctioned access to native code in the Windows Phone OS. You may recall that Windows Phone apps are sandboxed for security reasons. But apps with access to native code can bypass these restrictions and do things most apps can't, like perform faster, access the file system and registry, and administer wireless networks and access other radio features.
Native code is outside the sandbox. So there should be extra scrutiny because of the security implications of this access. Rivera is documenting which apps have this special access--I know that Spotify and Navigon are among them, as are most carrier apps--and what additional features these apps can access. But there are so many questions here. Why are some special and able to get this access? It is available to any developer, and if so, how does one even find out? And aren't we heading down a path where there are "have" and "have not" apps in the Windows Phone ecosystem, where the apps with native access are always better than those without?