Surprise! Apple doesn't give a shit that this is happening. If they didn't want developers to have the data, they wouldn't have made the API public. Apple even touts this as a feature in their public-facing developer site!
"iOS apps even have access to a device’s global data such as contacts in the Address Book, and photos in the Photo Library"
This is in no way a failure of the App Review process. This is a failure in the way Apple expects user data to be treated. Lots of developers do this. The only way to stop this is a change in Apple policy, end of story.
This seems like a serious policy 'bug' indeed. The app developers have their part of the fault, but if someone just gives you free stuff, why not just take it.
I've bitched about how restrictive Apple is with the App Store plenty, but that ship has sailed a long time ago. But once you decided to have a restrictive app store and declare to provide "freedom from programs that steal your private data" (http://gawker.com/5539717/), be the best damn restrictive app store you can be and actually provide freedom from programs that steal your private data. Apple has inserted themselves as necessary component in the developer-customer relationship of iOS (and even declared privacy as one of the reasons why they are necessary), so they damn well should take some blame here.
Yes, or at least not allow open APIs that make it so simple. What else is the point of a walled garden? They're able to make sure all their other arcane rules are followed (like Amazon linking to their web store), they should be able to keep data safe.
It would be absolutely trivial for Apple to flag apps which use the Address Book APIs for closer inspection (including making sure that the user has to opt in to have their Address Book sent anywhere) - the same Apple tool which detects access to unauthorized ("private") Objective-C APIs could just as easily flag access to the AddressBook framework.
