X

iOS security loophole lets apps grab user photos

A software feature that lets apps access user location has also been found to give developers access to that user's entire photo library.

Josh Lowensohn Former Senior Writer
Josh Lowensohn joined CNET in 2006 and now covers Apple. Before that, Josh wrote about everything from new Web start-ups, to remote-controlled robots that watch your house. Prior to joining CNET, Josh covered breaking video game news, as well as reviewing game software. His current console favorite is the Xbox 360.
See full bio
Josh Lowensohn
3 min read
The iPhone's camera roll, something developers can download without you knowing?
The iPhone's camera roll, something developers can download without you knowing? Josh Lowensohn/CNET

An iOS security feature that lets users share information about their location can also be a conduit for those applications to surreptitiously grab user photos, according to a new report.

The New York Times' Bits blog today details how developers can gain access to a user's entire photo library through the same user dialog window that requests access to a user's current location. When users click the OK button, the report says, the developer can then copy photos--complete with GPS metadata--to a remote server, without alerting users to the fact.

Before wrapping your iPhone in tinfoil and throwing it into a fire, know that Bits says it's "unclear" if any apps that have been published to the App Store actually exhibit this behavior. Nonetheless, it adds that an unpublished test application from an unnamed iOS developer was able to successfully upload user photos using the dialog option.

Apple did not respond to a request for comment.

According to Bits, the potential for this loophole opened up in 2010 with the introduction of Apple's iOS 4.0 software. While the focus of that release was on bringing multitasking to Apple's mobile operating system, it also added the location feature in the name of efficiency.

Related stories

This is the latest instance of Apple's mobile location features drawing concerns over user privacy. Last April, security researchers took issue with Apple's logging of user location data, which was found to be stored unencrypted. Researchers took the data, which covered up to a year's worth of location entries, and suggested that it could be used to track where users were going, including where they lived.

Apple stayed mum on the subject for a week, later addressing it as a "bug" and saying that the file was used to speed up how fast it could identify people's whereabouts inside applications, as well as fuel a crowd-sourced location database. A software update a few weeks later cut the database down to seven days' worth of data and kept the file from being stored on local machines, however that didn't stop the incident from being referred to as "locationgate."

More recently, attention has been focused not on Apple's collection of user information, as much as what it's allowing third-parties to access. Earlier this month, for example, we learned that some apps were collecting users' contact information without their permission. After the issue came to a head, Apple said such apps were in violation of its App Store Guidelines, and that a change was being made to require those applications to seek "explicit user approval," as part of an upcoming iOS update.

Update at 3:23 p.m. PT: Citing "sources familiar with the situation," The Verge reports that a fix could be on the way as part of an iOS software update. However the outlet gives no indication of when that would be.