Photo Location-Tagging in iOS Opens Door to Possible Abuse

| News

It seems that there may be another crack in the App Store walled garden, this time with photos on iOS devices. Photo apps granted location-tracking permission can apparently read, and therefore copy, an iPhone’s entire photo library.

Camera.app Spy

Recent revelations that some apps were collecting contact information and sending it back to developers raised a few privacy eyebrows. This behavior is against App Store policy and some argued that those apps should have been blocked from being approved in the first place. That revelation generated several responses, including some from governmental agencies.

Now it seems that some camera apps also have the ability to collect photos—all the photos—from an iOS device with little or no consent from users. Apparently when a user OKs location information to be included with photos, it opens a backdoor that allows apps to copy the user’s entire photo library. Geotagging photos is popular and has a number of uses including being able to display photos on a map in Apple’s own iPhoto Mac-based application.

One difference between this photo exploit and the contact information exploit is that contact information had actually been collected by some developers through their apps. In the case of the photos, there are no reports that this exploit has been taken advantage of, only that it exists. Developers, and therefore Apple, have known about it for some time. iOS 4, released in 2010, granted access to the photo library to help make photo apps more efficient.

Google has not commented on how its operating system handles this same issue.

Comments

BurmaYank

great graphic!

Liz in CA

Moral of the story?  USE. A. ***CAMERA.***  Not a phone.  Yep, sometimes the old geezer coal-burning tools are the best…

zebrum

the photos are accessible without location permission. The photos folder isn’t part of the sand box. Apple reviewers catch the apps that are using photos by file access rather than through the photo library API, it just can take them a while to detect or read user complaints.

Log-in to comment