A newly-discovered loophole in Apple’s iOS operating system can enable app developers to access users’ photos without permission. Recent reports indicate Apple may already be working on a fix for its next update to iOS.
The gap in iOS privacy permissions seems to be much the same as the loophole exploited by Path and other applications that offered unrestricted access to users’s address books. While most people would consider access to their device’s address books and contact information sensitive and confidential, Apple’s iOS does not require developers obtain users’ explicit permission to access the data, whether through a dialog in every app that wants to access the information or through a system-wide setting.
It turns out iOS devices’ address books weren’t the only things available without explicit permission: if a user allows an application to access location information, the app then has access to the user’s entire photo library without any additional notification. Since iOS devices tag photos with timestamps and location information, in theory access to the photo library could be used to assemble a breadcrumb trail of a user’s movements — or at least where they’ve taken pictures.
Although the capability to access the entire photo library once permission had been granted to access location information has been known to developers for some time, the story was first broken by 9to5 Mac, and followed up by The New York Times.
While the address book loophole was discovered by examining network data transmitted by the popular app Path, so far there don’t appear to be any widespread apps that take advantage of the photo access loophole.
Apple introduced the ability for apps to access a users’ photo library in iOS 4. Apple screens applications for illicit behavior before allowing them to go on sale in its App Store, and could possibly detect and deny approval to apps that siphoned off a user’s photos. However, capturing a user’s address book was also against Apple’s guidelines, and the company nonetheless approved many applications that used the capability.
The Verge reports that Apple is working on a fix for both the address book and photo access problems in a future update of iOS, and that access to the photo library is an unintended side effect of granting permission to access location data, rather than an intended feature.