I agree that there is no way to accidentally harvest user information. Especially if that information is transmitted and I presume stored somewhere off the phone.

Sounds like Rockstar's Hot Coffee excuse ... BUSTED.

Just playing devil's advocate here: The Storm8 games are essentially online games; they interact with the Storm8 servers, I believe it's through HTTP in fact. Given that the entire game is via an online service (you can't play the game without Internet access) is it actually that hard to believe that the code might have accidentally used unrequired information such as the phone number in the headers while sending the GET/POST requests (or whatever)?

There is no actual proof in the information provided above to suggest that Storm8 either a) store this information, at all, or b) meant to use this information for a purpose other than providing the regular game service.

Let's not jump to conclusions and put them in front of the firing squad before hearing the full case, eh?

To query the phone number of an iPhone the developer may use the following API:

NSString *num = [[NSUserDefaults standardUserDefaults] stringForKey:@"SBFormattedPhoneNumber"];

It is unlikely that this could be called by mistake. In addition, this API is not supported by Apple and may cause an app to be rejected during the submission process as seen here: http://stackoverflow.com/questions/193182/programmatically-get-own-phone-number-
in-iphone-os/1685369#1685369

The HTTP headers do not include the phone number of the device unless the developer inserts it themselves. Doing so would require use of the unauthorized API listed above or prompting the user to input their phone number.

Maybe they just wanted to store phone numbers so they could determine which areas have a bad connection for online features. Perhaps it was for debugging or beta purposes and forgot to remove the code. Or maybe they DID deactivate the feature, but a bug or other mistake accesses the code accidentally.

Some more shady stuff...this time from social game developer Zynga: http://www.techcrunch.com/2009/11/07/horrible-things-slink-back-into-zynga/.

@Tarragon Allen and Alexander Kral

There is simply no accidental way to harvest phone numbers or user data from a phone (any phone). The data has to be specifically requested within code. In the case of games there is zero reason to ever need that information.

Jon above even lists the Api calls that would need to have been made to get the information. Web calls don't include phone data so none of Storm8's stuff would ever have needed it for testing or otherwise. I assume Apple have removed these games or will do once this news reaches their ears.

@Dwyer

Unless the code comes from something else, i.e. another engine where they have overlooked to remove parts of the code. I agree its rather weak, however, still possible.

@Bell / Dwyer
Yes, WEB calls do include phone data in certain countries as part of HTTP headers (including phone number or a typical msisdn hash). This is not added by the device itself but by different carriers. Some carriers do this for all users and some adds it on specific URLs provided as part of CPA agreements. But this is not likely the case above neither.

It all sounds rather suspicious though.

I would assume that by "accidental" they would mean something more like "it was for debugging and was meant to be commented out in the release build" as opposed to "the programmer tripped and fell on his keyboard and typed in that code". Because the latter defense is really stupid/unbelievable.

Props to Jon Bell for the line of code/insight.

Tarragon Allen does bring up a good point; so far, there hasn't been any actual indication that they're doing anything with the phone numbers. That said, I don't know how much the code has been audited by people who've found out about the line of code that finds the phone number.

Well, if it was being was sent back via HTTP, the question is: What did the web server do with it? If there were fields in a database created to store that information once the web server received it and parsed the URL, then you know with 100% proof they created the software with the intention to collect that information. If they only stored the URL without parsing it, then you have to ask: What other data was sent as part of request? If there's nothing else, then once again you know they were targetting the user's info. Other than those two scenarios, it could be an honest mistake that they tried to rectify as soon as they were aware it was sending that data illegally. If the information never made it off their servers, I'd probably give them the benefit of the doubt.

There's a couple of other things to consider here:

1) is sending phone number information like this actually illegal? If it were, I'd have presumed this would be more than a civil case.

2) for any result in the civil case, I'd say that the litigant will need to prove they were "damaged" somehow. If Storm8 can show that the data wasn't stored or used in any way, I think proving damages will be difficult.