iOS Photo and Video Privacy Issues Highlighted with New Test Application

Earlier this month, privacy issues related to the uploading of users' address books to developers' servers were cast into the limelight as Congress requested details from Apple on how private information is handled and protected. While Apple quickly responded to note that it would be addressing the issue by requiring explicit permission to be granted by users for apps to access their address book data, it has been a relatively open secret for some time that developers can gain access to a broad array of what might be considered private information, including photos, calendars, and other content.

The New York Times today is taking a closer look at the topic of photos and videos, noting how easy it is for developers to quietly gain access to such content when given permission to collect location information.

After a user allows an application on an iPhone, iPad or iPod Touch to have access to location information, the app can copy the user’s entire photo library, without any further notification or warning, according to app developers.

It is unclear whether any apps in Apple’s App Store are actually doing this. Apple says it screens all apps submitted to the store, and presumably it would not authorize an app that clearly copied a person’s photos without good reason. But copying address book data was also against Apple’s rules, and the company let through a number of popular apps that did so.

photospy
The New York Times tested this behavior by commissioning an iOS developer to write a simple test application dubbed "PhotoSpy" that demonstrates how a simple pop-up requesting permission to access location information can actually lead to broad access to all photos and videos in a user's photo library on the device.

When the “PhotoSpy” app was started up, it asked for access to location data. Once this was granted, it began siphoning photos and their location data to a remote server. (The app was not submitted to the App Store.)

Apple and other mobile app distributors recently signed on to a new agreement with the California Attorney General's office that will see the companies making it easier for users to examine privacy policies associated with apps before they download them. And with pressure mounting on Apple to take further steps to ensure that apps can access only information explicitly permitted by users, many are undoubtedly hoping that more changes are coming in the relatively near future.

Update: The Verge reports that "sources familiar with the situation" have indicated the photo and video access is a bug and that a fix is in the works.

We spoke to sources familiar with the situation, and were informed that a fix is most likely coming for the loophole. According to the people we talked to, Apple has been made aware of the issue and is likely planning a fix with an upcoming release of iOS. Those sources also confirmed that the ability to send your photos and videos to a third-party is an error, not an intended feature. If we had to guess, the fix will likely come alongside a patch for Apple's other recent security issue — the ability for apps to upload your address book information without warning.

Top Rated Comments

pmz Avatar
119 months ago
So, NYT, just to be sure:

1. You asked the user for permission (although not explicitly for what you did).

2. You did not submit this to the App Store (aka, have no idea whether it would have been approved)

Gotcha. Thanks, but you couldn't have put together a more irrelevant example of an App Store App that takes data without permission.
Score: 12 Votes (Like | Disagree)
Consultant Avatar
119 months ago
This is a rare area where Android actually does a better job. The developer of each app must state in the packaged manifest file the access permissions to physical hardware (e.g. GPS, microphone) and services (e.g. file system) that the app uses. These requirements are then shown explicitly in the Android marketplace before the use downloads the app. In iOS, there is a plist for developers to state access requirements, but until now, they are not shown in the App Store.

Nope. Android permission can be easily bypassed by Android malware:
http://www.theregister.co.uk/2011/11/30/google_android_security_bug/
Score: 8 Votes (Like | Disagree)
newagemac Avatar
119 months ago
This is a rare area where Android actually does a better job. The developer of each app must state in the packaged manifest file the access permissions to physical hardware (e.g. GPS, microphone) and services (e.g. file system) that the app uses. These requirements are then shown explicitly in the Android marketplace before the use downloads the app. There is no similar equivalent in iOS or the App Store.
The problem with that approach is that it isn't granular enough. And it can't possibly be granular enough to prevent malware and rogue apps. For example, let's say let's say you are looking for a file manager for your Android device. Well, the manifest says the app needs access to the file system. "Ok, that makes sense." Then you download the app and it proceeds to delete every file on your device and replace them with viruses or something.

There is absolutely no way you can defend against that unless you have a curated approach. If it's a file manager, it needs access to your files. Likewise in the NY Times example, if it is a photo editing app, it needs access to your photos. There is no way getting around it. Someone has to actually test the app to know what exactly it will do once it has access to some particular part of your device. That's why Android is a goldmine for malware and privacy invaders.
Score: 8 Votes (Like | Disagree)
BaldiMac Avatar
119 months ago
If this is okay on iOS, why do you make such a big deal about the same thing on Android?

Having access to private data is not the same thing as malware??? :confused:
Score: 7 Votes (Like | Disagree)
dethmaShine Avatar
119 months ago
This has been verified by a number of people on the forums.

- contacts
- calendars
- photos
- videos

Nothing new. Although, highly severe and critical.

Apple made a mess out of them. They should have treated this data, the way they treat locations in general. Too lenient.
Score: 7 Votes (Like | Disagree)
jtara Avatar
119 months ago
When I first looked at this, I wondered why it even has to request permission for location data.

Well, it does, and that's because photos might contain location information in the metadata.

So, iPhone users can at least be assured that their photos aren't being accessed if the app doesn't ask permission for location data.

This problem has existed since Day 1, and has been ignored by both Apple and millions of users. It goes to show you how easily we trust those who should not be trusted today. I am baffled at the phenomena.

That the public doesn't care is illustrated by the widespread use of Facebook.

It's going to bite many people. I do think that the public will take an about face over the next couple of years, as the chickens come home to roost. I think the major factor driving this will be the largescale abandonment of the traditional resume by job-seekers and employers.

Lots of people are going to find that they screwed themselves royally.
Score: 6 Votes (Like | Disagree)

Top Stories

samsung experience 1

Samsung's 'iTest' Lets You Try a Galaxy Device on Your iPhone

Thursday April 8, 2021 12:42 pm PDT by
Samsung has launched "iTest," an interactive website experience that's designed to allow iPhone users to test out Android on a Galaxy device, or "sample the other side," as Samsung puts it. Subscribe to the MacRumors YouTube channel for more videos. The iTest website is being advertised in New Zealand, according to a MacRumors reader who came across the feature. Visiting the iTest website on...
sonny 2021 ipad mini pro dummies

Leaked Dummy Units Show iPad Mini 6 With Thick Bezels and Home Button, New iPad Pro Models

Thursday April 8, 2021 2:11 am PDT by
Rumors suggest Apple will release refreshed versions of the iPad mini and iPad Pro models in the first half of this year, potentially as soon as this month, and a new leak today has provided us with a possible preview of what to expect in terms of the devices' overall design and camera prospects. Tech leaker and Apple blogger Sonny Dickson this morning shared images on Twitter showing dummy ...
iMessage Android featured

Apple's Rationale for Not Bringing iMessage to Android Revealed in Legal Documents

Friday April 9, 2021 2:22 am PDT by
It's no secret that Apple sees iMessage as a big enough selling point to keep the service exclusive to Apple devices, however new court filings submitted by Epic Games in its ongoing lawsuit with the company reveal just how Apple executives have rationalized their decision not to develop a version of iMessage for Android. Apple clearly recognizes the power that iMessage has to keep users...
fake airpods 3

Counterfeit 'AirPods 3' Hit the Market Prior to Official Announcement

Friday April 9, 2021 2:45 am PDT by
Apple is expected to launch the third iteration of AirPods in the third quarter of this year. Rumors and reports suggest the new AirPods will feature an updated design more in line with the AirPods Pro, but lacking in "Pro" features such as active noise cancellation. Despite AirPods 3 not yet being officially announced by Apple, counterfeit products of the unreleased earbuds have already hit ...
nba tracking prompt orange

Two-Thirds of iPhone Users Expected to Block Ad Tracking

Friday April 9, 2021 7:19 am PDT by
As many as 68 percent of iPhone users are expected to deny advertisers permission to track them thanks to Apple's App Tracking Transparency feature, in what is beginning to look like a significant blow to the advertising industry (via AdWeek). With the launch of iOS 14.5, apps will have to receive explicit user permission before accessing an iPhone's advertising identifier or IDFA, which is...
iPhone 13 Battery Life Feature

DigiTimes: iPhone 13 Pro Models to Feature 120Hz ProMotion Refresh Rate and 15-20% Less Power Consumption

Friday April 9, 2021 12:52 am PDT by
The two premium "Pro" models of the upcoming iPhone 13 lineup will be equipped with a low-power LTPO display, enabling the iPhones to have a 120Hz refresh rate, according to industry sources cited by Taiwanese publication DigiTimes. According to today's paywalled report, Apple suppliers Samsung and LG Display are in the process of converting parts of their production capacity to produce LTPO ...
ipad pro and macbook pro

iPad and MacBook Production Reportedly Delayed Due to Global Chip Shortage

Thursday April 8, 2021 2:31 am PDT by
Apple is facing a global shortage of certain components for some of its MacBook and iPad models, causing the Cupertino tech giant and its suppliers to postpone production of the products, according to a new report from Nikkei Asia. According to the report, MacBook production is being hindered due to the shortage of chips mounted onto the circuit board before final assembly, which is a key...
ehric

iPhone 12 Mini Missing From Top 5 Best Selling Smartphone List of January 2021

Friday April 9, 2021 4:58 am PDT by
According to market data compiled by Counterpoint Research, Apple's smallest iPhone since the 2016 iPhone SE, the iPhone 12 mini, struggled to obtain a spot in the top five list of best-selling smartphones in January of this year. According to the market data, the iPhone 12 mini came in eighth place for the best-selling smartphone worldwide in the first month of the year. However, the iPhone ...
tmobile 5g modem

T-Mobile Launches Unlimited 5G Home Internet for $60/Month

Wednesday April 7, 2021 2:18 pm PDT by
T-Mobile today hosted an Un-carrier event where the company announced the launch of a a new 5G home internet plan, which is priced at $60 per month and offers unlimited data. The service is available to more than 30 million Americans across much of the United States, including 10 million households in rural areas not typically able to access reliable broadband. Connectivity will be either 4G ...
apple find my network

Apple Announces Find My Network With Support for Third-Party Devices

Wednesday April 7, 2021 10:06 am PDT by
Apple today announced the launch of its Find My network accessory program, which is designed to allow third-party Bluetooth devices to be tracked in the Find My app right alongside your Apple devices. According to Apple, the first accessory companies to take advantage of the new Find My integration include Belkin, Chipolo, and VanMoof, with devices set to be available beginning next week. ...