Loophole in iOS Allows Developers Access to Users’ Photos

A recently discovered hole in Apple’s iOS allows third-party developers access to users’ iPhone, iPad or iPod Touch photos by exploiting the device’s location data, according to a report from the New York Times’ Nick Bilton on the Bits blog yesterday.

iOS vulnA recently discovered hole in Apple’s iOS allows third-party developers access to users’ iPhone, iPad or iPod Touch photos by exploiting the device’s location data, according to a report from the New York Times’ Nick Bilton on the Bits blog yesterday.

The loophole lies in the way that applications use certain photo location data. Assuming an iPhone user approves any app that accesses the location data of photos, the app’s developers will be able to capture any of the users’ images while that app is open.

The Times had an unnamed developer create a proof of concept application app to do just this, according to the blog post. The app, called PhotoSpy, was never submitted to the App Store for approval but asked users for access to location data. After granting it, the app began transferring photos and location data from the phone to a remote server.  

Apple first allowed apps access to photo libraries in 2010 with the fourth build of their operating system. The move was intended to allow photo apps better access to let users share and edit photos.

While Apple didn’t immediately respond to a request for comment on Wednesday, they have gone on record regarding any apps that may use a users’ contact information without notification:

“Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines,” Apple’s Tom Neumayr told the Wall Street Journal’s AllThingsD blog earlier this month.

The news comes two weeks after it was discovered that Twitter and other apps were uploading users’ contact lists to remote servers without their knowing. Path, a social network that encourages users to share photos and message each other was criticized earlier this month after a researcher found the company’s app uploading users’ address books to the company without notification.

Suggested articles

Discussion

  • Anonymous on

    Developers get access to Frameworks. If you hit NO in the POC or have "Location" off for Camera no location data. iOS and Mac developers, like developers for any platform you get access to certain frameworks. The developer has some skin in the game in Apple eco-system with signing of APPS. This is why Apple's ecosystem is important, developers have to sign applications. If they violate the agreement they can be kick out and all their APP's pulled. The entitlements and restrictions are a very good attempt at balancing the security of the user with experience of the device. Apple has controls on the developer that are enforceable in the event of rouge development. 

     Bigger ?? really related to companies like Facebook, Twitter and Google create APPS. Do they play by the rules when it comes to peoples private data?  How easy is the entitlement process to implement on iOS? Does APPLE strictly control what these big guys do? Are the privacy issues so large on a phone/wallet if controlled primarily by advertising? (Business model of the maker of the product.) Seems to me this is the tip of the privacy iceberg when it comes to mobiles.  I would think social media, media and other players would have the most to gain from users privacy data. That is where we need to have smart people look and see what the big guys are doing. 

    Google found a Web-Kit flaw from 6 months back to get the +1 to work and used it to bypass Safari's Block Advertising option. Seems like plenty of effort (Take a look at technically what they needed to do to bypass this) to create an accident. Why, they make money off advertising dollars. What happens when big data owns your phone? You should be worried as should everyone who depends on these devices not matter the platform. 

    We hooked up these devices to or WiFi and watched the data streams, it was very scary.

    Good job aggregating the story in a responsible manner, that is what Threat Post should be all about. 

    Mitigation

    Turn off location data for camera.

    Do not grant location access to Apps that do not need it. I can think only two, Find my phone and GPS. 

  • Anonymous on

    LocationGate, AddressBookGate and now PhotoGate. Apple hired a top dog NSA guy to head their security, now we know what he did with his position.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.