Apple doesn't prompt the user to ask for permission when the APIs are used (like what happens with location), so this is the desired behavior. It's very simple:
17.1 Apps cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used
It's likely that this app will be pulled from the App Store within the next few hours.
All that means is that it has to be mentioned in a very long terms of service somewhere. If Apple cared about address book information like they currently do for location data they would make the API query the user.
I noticed that Path did this a few weeks ago when I initially installed it. My reaction was much the same: WTF?! I proceeded to file a bug report with Apple that the API should prompt for access just like the Core Location API does (somebody having ALL my contacts' info is more important to me than an app knowing where I currently am). My bug was closed as a duplicate; hopefully a change is in the works.
Yep, which makes the address book a hack for (high-latency, obviously) cross-app communication. E.g., last I knew, TextExpander added an entry to your address book with your abbreviations, so that other apps e.g. Simplenote can use those abbreviations as you type. Very well intentioned hack, which shouldn’t be necessary, but is, using an API that really just shouldn’t be open…
https://developer.apple.com/library/ios/#documentation/Addre...