Overlooked in last week's revelation that the National Security Agency is harvesting hundreds of millions of e-mail address books around the world was this surprising factoid: Apple makes this mass collection easier because the Address Book app that by default manages Mac contacts doesn't use HTTPS encryption when syncing with Gmail accounts.
As a result, addresses that automatically travel between Macs and Google servers are sent as plain text, independent privacy researcher Ashkan Soltani wrote in The Washington Post last Monday. He provided the above screenshot demonstrating that Address Book contents appear in the clear to anyone who has the ability to monitor traffic over a Wi-Fi network or other connection. His observation came 15 months after another Mac user also warned that the Mac app offered no way to enable HTTPS when syncing e-mail address lists with Gmail.
"It appears that it's an Apple issue," Soltani told Ars, referring to the inability to enable HTTPS when Apple's Address Book is updated to a user's Gmail account. "Their other products support Gmail over via HTTPS, so I suspect it would be a three-line fix in the contacts to alleviate this problem."
In fairness to Apple, Soltani pointed to this description of the Google contacts programming interface, which was officially discontinued in April 2012. It indicated HTTP as the sync mechanism for address books. It's possible Apple developers haven't updated their code since Google introduced the change. It's also possible the lack of HTTPS encryption will be fixed in Mavericks, the upcoming version of Mac OS X that Apple is expected to unveil Tuesday.
Once the current version of Address Book is configured to sync with Google's popular e-mail service, the Apple app checked in about once an hour on Macs Soltani tested. Anytime the app contained an address not found in Gmail, it would send the data unencrypted. Interestingly, the program uses the HTTPS protocol to cryptographically authenticate the machine advertising itself as a Gmail server, but the app goes on to send the addresses in plain text over an unencrypted HTTP connection, he said.