Posted on 10/26/2017 10:52:19 AM PDT by LibWhacker
Apple has been urged to change the way in which iPhone apps are granted access to the phone's camera after a security researcher demonstrated how apps can secretly record photos and videos without the user knowing.
Felix Krause, an Austrian developer who works for Google, built an app that was able to take pictures of its user every second and upload them, without notifying the user. He called it a "privacy loophole that can be abused by iOS apps".
When an app wants to access the camera, for example to scan a credit card or take a profile picture during the set-up process, the iPhone user must give the app permission, in the same way that apps must ask to access the camera roll, location and contacts and to send notifications. Once allowed, it has to be turned off via the settings menu.
The system is similar to the permissions required by apps on Android. Google has recently deleted several apps that surreptitiously recorded users and masqueraded as legitimate apps.
But Krause said that once an app has been granted initial access, it can take photos and videos whenever it is opened up. Unlike on Mac computers, which have a small green light next to the camera when it is being used, there is no indication that an app is recording videos or taking photos, or when it sends them elsewhere.
(Excerpt) Read more at telegraph.co.uk ...
Not likely to happen with Apple iPhones, apps must go through a screening process by Apple and are rejected if they violate the guidelines. On Android phones there is little if any restriction.
If it is a Pixel phone, the Android OS is adhered to strictly. With the other manufacturers (Samsung, LG, Motorola, etc.), all bets are off.
bookmark
Ping!................
Swordmaker may be spying you iPhone users : )
That’s app Review, which is different, but may catch this sort of thing....
This report is the more once you grant an app permission, for any reason it keeps those permissions indefinitely unless you manually go into the global settings firm and turn them off..
Android behaves the same way, once permission has been granted.
They are suggesting that there be some sort of reaffirmation of permission to use , rather than just a one time thing.
Comes a point where one must decide whether to trust someone (or, by proxy via app).
Yes, I’ve thought about such possible security issues. Apps having otherwise legitimate access to camera, mic, location, photos, contacts, etc can certainly abuse them.
Before bashing the ecosystem for potential of such abuse, you should ask: what could possibly be done to prevent it? and: do I trust this app?
In this case (as in most cases alleging security flaws on iOS etc), consider how those questions apply:
- having (presumed) legitimately allowed the app to access the camera, the only ways to prevent improper use is either add a new option (like for location) “only when app is in use”, or have iOS ask “allow camera use?” every time the camera is enabled. The former solution is possible, and after this I’d not be surprised if it shows up soon in iOS. The latter would be unduly obnoxious, most apps using the camera properly.
- this app was obviously from a security researcher, who is likely trying to evade security - not someone to trust. Major-brand apps, yes; people with an obvious ulterior motive, no.
And as Swordmaker will likely declare momentarily, once again this “security flaw” _specifically_ requires the victim to deliberately download an app, deliberately approve limited access, deliberately trusting the developers to no abuse the permissions.
I suspect Apple will respond by ending camera access if the app is not active. (I’m wondering if there’s any apps that legitimately do want camera access when backgrounded.)
No, its about the app store itself... Play doesn’t put apps through the same type of review process before they allowed to be up for sale... Apple does...
it has nothing to do with OS behaviors on the phone
Question is: under what condition should iOS request re-affirmation? offhand (as an app developer) I don’t see what would prompt that, and I see arbitrary re-affirmation requests as annoying to users. If the app is trustworthy, there’s no reason to keep asking; if the app _isn’t_ trustworthy, I shouldn’t run it.
I agree, I am just saying that is what this guy is suggesting. I too develop apps for both android and ios.
I think most of these allow access to your image gallery so, if you have anything you don’t want the world to see stored on your phone...
Not really worried. If they ever do that to Android phones, they’re going to get all sorts of pictures of the inside of my pocket.
So, Google programmer finds potential camera security in IOS? No conflict of interest here...
Seriously, though, if true, and if Apple has dropped the ball, that’s not a good thing. Nothing like feeling like you have to stick some tape over the lens on your phone...
Not quite related, but at my local workplace, they had to issue a warning (presumably one or more people got fired or otherwise disciplined) that just because your phone asks you to take a picture of your current location (presumably for google maps or something) doesn’t mean you should.
Silly people.
Funny thing is, if you setup the right social engineering type app, you could probably get people to take the compromising photos for you. People seem to be so easily programmed these days.
I’ll take my phone in the shower with me. They won’t do it more than once.
Yeah, I’m thinking about that. Some of my ammo purchases require photo ID, usually a driver’s license, and I find it convenient to keep a pic of my driver’s license on my iPhone. But now I’m definitely rethinking that!
Good plan! Give ‘em something they can’t unsee... I think I could fix them up with one of those pics, myself. LOL!
Not a loophole. Nothing sensational here. The problem is that the USER doesn’t think of things like this, and so doesn’t think about revoking the app’s permission after granting it.
Apple is not a big evil corporation showing illicit pictures of you to strangers.
Is there any testing done of these apps? Should Apple do it? Should independent organizations do it? (This one did, and that’s the solution for the problem.)
The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.
If you want on or off the Mac Ping List, Freepmail me
Read some more about the issue.
Well...yeah.
It’s a “foreground only” issue, meaning you’re actually using the app.
Yes, if you give an app permission to use the camera, it can use the camera - and not necessarily tell you when it’s on.
Yes, there’s not an indicator in iOS letting you know the camera is on. Maybe there should be...but such cases being so rare, I’d hate to load the status bar with yet another indicator. Adding a hardware light seems overkill for such a small device and such a rare issue. The whole point would be an acknowledgement of badness where it shouldn’t be, a subtly user-distressing situation.
Remember: the camera uses a _lot_ of power, so any app that is surreptitiously using one will likely get complaints about it using an undue amount of power, and subsequently get analyzed & outed for its impropriety.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.