A recently discovered hole in Apple’s iOS allows third-party developers access to users’ iPhone, iPad or iPod Touch photos by exploiting the device’s location data, according to a report from the New York Times’ Nick Bilton on the Bits blog yesterday.
The loophole lies in the way that applications use certain photo location data. Assuming an iPhone user approves any app that accesses the location data of photos, the app’s developers will be able to capture any of the users’ images while that app is open.
The Times had an unnamed developer create a proof of concept application app to do just this, according to the blog post. The app, called PhotoSpy, was never submitted to the App Store for approval but asked users for access to location data. After granting it, the app began transferring photos and location data from the phone to a remote server.
Apple first allowed apps access to photo libraries in 2010 with the fourth build of their operating system. The move was intended to allow photo apps better access to let users share and edit photos.
While Apple didn’t immediately respond to a request for comment on Wednesday, they have gone on record regarding any apps that may use a users’ contact information without notification:
“Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines,” Apple’s Tom Neumayr told the Wall Street Journal’s AllThingsD blog earlier this month.
The news comes two weeks after it was discovered that Twitter and other apps were uploading users’ contact lists to remote servers without their knowing. Path, a social network that encourages users to share photos and message each other was criticized earlier this month after a researcher found the company’s app uploading users’ address books to the company without notification.