Yesterday, The New York Times described a security issue that allows an app to upload geotagged photos from an iOS device to its servers without permission from the user. An app is able to perform this upload silently in the background so that the user is not the least bit aware of what’s going on. This “loophole” is something that developers have already been aware of for a good deal of time, though they had never actually tried it to see if they could actually steal a user’s photos. The New York Times then made headway with contacting an anonymous developer to write the Times an experimental application that they may see how this security hole works. Read on for further details.
The aforementioned developer brought about “PhotoSpy,” an app that would first ask for the user’s permission to access the user’s location information and then upload photos from the device’s library — this portion of the deed was done without permission from the user, since the user would only give the app access to location services and nothing else; that is, so the user thought when launching the app.
“Conceivably, an app with access to location data could put together a history of where the user has been based on photo location,” said app maker Curio’s co-founder David E. Chen. “The location history, as well as your photos and videos, could be uploaded to a server. Once the data is off of the iOS device, Apple has virtually no ability to monitor or limit its use.”
Apple has been sandboxing apps in the iOS system to protect users by not allowing access to core iOS files and personal user data, which means that such a precaution should prevent this type of unauthorized access by an app. Apple’s iOS sandbox started to involve the photo library and other system services when the elderly “iPhone OS” became the more modern “iOS” back in 2010.
The Verge also reported yesterday that they had attempted to elicit a response from Apple, to no avail. However, they also spoke with some of their sources that are “familiar with the situation” and were informed that a fix is coming soon. They note that it will be in an upcoming release of iOS, though it’s not likely that iOS 5.1 will address the issue being as it’s rumored to release in about a week.