Following previous privacy controversy over apps uploading your Address Book contacts without permission, a new privacy problem has been shown off that allows app developers to access and copy your entire photo library.
According to a new report from The New York Times, apps that have permission to access location information on your iPhone or iPad (such as many photo and social networking apps), they also gain access to your device’s photo library without ever having to ask your permission or notify you. This could allow an app to upload (steal) your personal photos and store them on their own servers.
The New York Times reports:
After a user allows an application on an iPhone, iPad or iPod Touch to have access to location information, the app can copy the user’s entire photo library, without any further notification or warning, according to app developers.
It is unclear whether any apps in Apple’s App Store are actually doing this. Apple says it screens all apps submitted to the store, and presumably it would not authorize an app that clearly copied a person’s photos without good reason. But copying address book data was also against Apple’s rules, and the company let through a number of popular apps that did so.
An iOS developer was commissioned by the New York Times to create a simple test app, “PhotoSpy,” that demonstrates how simple it is for an app to secretly gain access to uses’ photo libraries, and potentially use those apps for their own purposes.
When the “PhotoSpy” app was started up, it asked for access to location data. Once this was granted, it began siphoning photos and their location data to a remote server. (The app was not submitted to the App Store.)
The exploit has reportedly been known for a long time, and its unclear whether or not any apps have used this so far. Apple would presumably not approve any app that uploads and stores your information this way, but given the number of “clone” apps, tethering apps, and other unauthorized apps that have slipped through Apple’s approval process, it’s possible that apps performing this behavior have been submitted, and are already running wild in the App Store.
Apple has recently agreed to new security measures allowing users to see exactly how specific apps might access and use their data before downloading or purchasing them, but is that enough? If one thing is clear, it’s that Apple needs to take care of the gaping privacy holes in iOS – and they should do it sooner rather than later.
