iOS Photo and Video Privacy Issues Highlighted with New Test Application

by

Earlier this month, privacy issues related to the uploading of users' address books to developers' servers were cast into the limelight as Congress requested details from Apple on how private information is handled and protected. While Apple quickly responded to note that it would be addressing the issue by requiring explicit permission to be granted by users for apps to access their address book data, it has been a relatively open secret for some time that developers can gain access to a broad array of what might be considered private information, including photos, calendars, and other content.

The New York Times today is taking a closer look at the topic of photos and videos, noting how easy it is for developers to quietly gain access to such content when given permission to collect location information.

After a user allows an application on an iPhone, iPad or iPod Touch to have access to location information, the app can copy the user’s entire photo library, without any further notification or warning, according to app developers.

It is unclear whether any apps in Apple’s App Store are actually doing this. Apple says it screens all apps submitted to the store, and presumably it would not authorize an app that clearly copied a person’s photos without good reason. But copying address book data was also against Apple’s rules, and the company let through a number of popular apps that did so.

photospy
The New York Times tested this behavior by commissioning an iOS developer to write a simple test application dubbed "PhotoSpy" that demonstrates how a simple pop-up requesting permission to access location information can actually lead to broad access to all photos and videos in a user's photo library on the device.

When the “PhotoSpy” app was started up, it asked for access to location data. Once this was granted, it began siphoning photos and their location data to a remote server. (The app was not submitted to the App Store.)

Apple and other mobile app distributors recently signed on to a new agreement with the California Attorney General's office that will see the companies making it easier for users to examine privacy policies associated with apps before they download them. And with pressure mounting on Apple to take further steps to ensure that apps can access only information explicitly permitted by users, many are undoubtedly hoping that more changes are coming in the relatively near future.

Update: The Verge reports that "sources familiar with the situation" have indicated the photo and video access is a bug and that a fix is in the works.

We spoke to sources familiar with the situation, and were informed that a fix is most likely coming for the loophole. According to the people we talked to, Apple has been made aware of the issue and is likely planning a fix with an upcoming release of iOS. Those sources also confirmed that the ability to send your photos and videos to a third-party is an error, not an intended feature. If we had to guess, the fix will likely come alongside a patch for Apple's other recent security issue — the ability for apps to upload your address book information without warning.

Popular Stories

AirPods Pro Firmware Feature

Apple Releases Firmware Updates for AirPods Pro 2 and AirPods 4

Monday November 11, 2024 11:28 am PST by
Apple today released firmware updates for both AirPods 4 models (version number 7B20) and the AirPods Pro 2 with both Lightning and USB-C charging cases (version number 7B21). All of these AirPods models were previously on firmware version 7B19. It is not immediately clear what new features or changes are included in firmware versions 7B20 and 7B21, but we will update this story if we find...
Read Full Article48 comments
New Things Your iPhone Can Do in iOS 18

18 New Things Your iPhone Can Do in iOS 18.2

Wednesday November 13, 2024 2:09 am PST by
Apple is set to release iOS 18.2 next month, bringing the second round of Apple Intelligence features to iPhone 15 Pro and iPhone 16 models. This update brings several major advancements to Apple's AI integration, including completely new image generation tools and a range of Visual Intelligence-based enhancements. There are a handful of new non-AI related feature controls incoming as well....
Read Full Article25 comments
iPhone SE 4 Thumb 1

iPhone SE 4 Camera Modules to Enter Mass Production Next Month

Tuesday November 12, 2024 2:56 am PST by
Apple's camera module supplier for the upcoming iPhone SE 4 is set to begin mass production of the components in December, according to a new report coming out of Korea. Economic newspaper Ajunews reports that LG Innotek will supply the front camera module for the budget-friendly fourth-generation device. Final tests are now said to be underway, with mass production of the module following...
Read Full Article34 comments
iphone 6 thickness

iPhone 17 'Air' May Not Be Much Thinner Than iPhone 6

Monday November 11, 2024 5:18 am PST by
Next year's iPhone 17 "Air" model may not be as thin as Apple planned, according to a rumor originating in Korea. According to the news aggregator account "yeux1122" on Naver, citing industry sources, Apple has run into problems making the new iPhone 17 model sufficiently thin. The device's reduced thickness is apparently dependent on manufacturing a battery with a thinner substrate, but...
Read Full Article176 comments
new mac holiday

The Best Early Black Friday Mac Deals

Monday November 11, 2024 7:45 am PST by
Black Friday is getting closer, and prices on MacBook Pro, MacBook Air, iMac, and Mac mini computers have started to drop as the shopping holiday nears. These deals include the latest models of the M4 MacBook Pro and iMac. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site...
Read Full Article10 comments
iOS 18

Here's Everything New in iOS 18.2 Beta 3

Monday November 11, 2024 4:53 pm PST by
Apple seeded the third betas of iOS 18.2 and iPadOS 18.2 to developers for testing today. While the third betas of each update are minor relative to the first two betas, there are still a handful of changes across the Photos app, TV app, and more. A corresponding iOS 18.2 public beta with these changes will likely be released later this week, and Apple previously confirmed that the software...
Read Full Article36 comments
General Final Cut Pro Feature

Apple Likely to Announce Final Cut Pro Update This Week With These New Features

Sunday November 10, 2024 12:13 pm PST by
In its announcement video for the new Mac mini last month, Apple teased an "upcoming" version of Final Cut Pro for the Mac. Apple will likely announce the update during the annual Final Cut Pro Creative Summit, which begins this Wednesday. The conference is held in association with Apple, and attendees will be visiting Apple Park on the first day. Apple already teased four new features...
Read Full Article94 comments
iPad iOS 16 WP Display Feature eric edit

Apple to Launch AI-Powered Home 'Command Center' as Soon as March 2025

Tuesday November 12, 2024 1:09 pm PST by
Apple is planning to launch an AI-powered smart home display as soon as March 2025, according to Bloomberg's Mark Gurman. The display will measure in at approximately six inches, and while it is similar to an iPad, it is square rather than rectangular and it has thick bezels around the edges. There is a camera at the top front so that it can be used for FaceTime, plus there are internal speakers...
Read Full Article116 comments

Top Rated Comments

pmz Avatar
pmz
166 months ago
So, NYT, just to be sure:

1. You asked the user for permission (although not explicitly for what you did).

2. You did not submit this to the App Store (aka, have no idea whether it would have been approved)

Gotcha. Thanks, but you couldn't have put together a more irrelevant example of an App Store App that takes data without permission.
Score: 12 Votes (Like | Disagree)
Consultant Avatar
Consultant
166 months ago
This is a rare area where Android actually does a better job. The developer of each app must state in the packaged manifest file the access permissions to physical hardware (e.g. GPS, microphone) and services (e.g. file system) that the app uses. These requirements are then shown explicitly in the Android marketplace before the use downloads the app. In iOS, there is a plist for developers to state access requirements, but until now, they are not shown in the App Store.

Nope. Android permission can be easily bypassed by Android malware:
http://www.theregister.co.uk/2011/11/30/google_android_security_bug/
Score: 8 Votes (Like | Disagree)
newagemac Avatar
newagemac
166 months ago
This is a rare area where Android actually does a better job. The developer of each app must state in the packaged manifest file the access permissions to physical hardware (e.g. GPS, microphone) and services (e.g. file system) that the app uses. These requirements are then shown explicitly in the Android marketplace before the use downloads the app. There is no similar equivalent in iOS or the App Store.
The problem with that approach is that it isn't granular enough. And it can't possibly be granular enough to prevent malware and rogue apps. For example, let's say let's say you are looking for a file manager for your Android device. Well, the manifest says the app needs access to the file system. "Ok, that makes sense." Then you download the app and it proceeds to delete every file on your device and replace them with viruses or something.

There is absolutely no way you can defend against that unless you have a curated approach. If it's a file manager, it needs access to your files. Likewise in the NY Times example, if it is a photo editing app, it needs access to your photos. There is no way getting around it. Someone has to actually test the app to know what exactly it will do once it has access to some particular part of your device. That's why Android is a goldmine for malware and privacy invaders.
Score: 8 Votes (Like | Disagree)
BaldiMac Avatar
BaldiMac
166 months ago
If this is okay on iOS, why do you make such a big deal about the same thing on Android?

Having access to private data is not the same thing as malware??? :confused:
Score: 7 Votes (Like | Disagree)
dethmaShine Avatar
dethmaShine
166 months ago
This has been verified by a number of people on the forums.

- contacts
- calendars
- photos
- videos

Nothing new. Although, highly severe and critical.

Apple made a mess out of them. They should have treated this data, the way they treat locations in general. Too lenient.
Score: 7 Votes (Like | Disagree)
jtara Avatar
jtara
166 months ago
When I first looked at this, I wondered why it even has to request permission for location data.

Well, it does, and that's because photos might contain location information in the metadata.

So, iPhone users can at least be assured that their photos aren't being accessed if the app doesn't ask permission for location data.

This problem has existed since Day 1, and has been ignored by both Apple and millions of users. It goes to show you how easily we trust those who should not be trusted today. I am baffled at the phenomena.

That the public doesn't care is illustrated by the widespread use of Facebook.

It's going to bite many people. I do think that the public will take an about face over the next couple of years, as the chickens come home to roost. I think the major factor driving this will be the largescale abandonment of the traditional resume by job-seekers and employers.

Lots of people are going to find that they screwed themselves royally.
Score: 6 Votes (Like | Disagree)
Read All Comments