Apple has a reputation, rightly or wrongly, for taking security on its iOS platform very seriously. Developer Felix Krause recently called attention to a simple hack that can be used to steal passwords on iOS, and now he’s back with another potential Apple security hole. According to Krause, the way Apple manages the camera app on iOS opens the door for apps to spy on users and upload footage to the internet.
Krause is the founder of Fastlane, a developer toolkit that was acquired by Google this year. While he does work for Google, Krause says this is a personal project. All the code (and a sample app) is posted to GitHub, so others are free to check his work. The gist of the problem is that granting the camera permission to an app gives it far too much power. The sample app shows how a seemingly innocent app that’s following all of Apple’s rules could actually be snooping on everything you do.
When you allow an iOS app to access your camera, it can take photos and videos via both cameras. However, it can do this at any moment while you have the app open. You don’t need to press a butt, and there’s not even any indication an image was captured. The app can also run facial recognition on the images it captures (in iOS 11). Most troubling, granting the camera permission also allows the app to upload the files to the internet as it takes them. That’s all demonstrated by Kraus’ test app (minus the uploading part).
This approach to the camera permission might seem sketchy in this context, but there could be completely innocent uses for it. For example, an app that automatically captures photos at set intervals to create a timelapse, or an app that shoots a photo when it detects motion. The problem is Apple’s one size fits all permission. It should at least separate the photo capture and upload permissions. Kraus also suggests an icon could appear in the status bar when an app is taking photos.
It’s unknown if Apple’s famously stringent app review process has been looking for this sort of behavior. Maybe it’ll start watching for it now, though. Apple has yet to make a statement on this matter. If you’re especially worried, Kraus suggests revoking the camera permission from apps after you’ve used them. You could also just cover the cameras up, but that seems a wee bit extreme.