Report: Apple loophole gives iOS developers access to user photos


Images stored on devices running Apple's (NASDAQ:AAPL) iOS mobile operating system are vulnerable to downloaded applications that can copy the user's entire photo library without any further notification or warning, The New York Times reports.

In addition to giving apps carte blanche access to photos and videos, the iOS security loophole allows developers to mine corresponding location data. The NYT states that the first time an iOS application wants to leverage location data for mapping or any other purpose, iPhones, iPads and iPod touch devices ask the user for permission, generating a pop-up message that notes approval "allows access to location information in photos and videos." When iOS devices save photo and video files, they typically include the coordinates of where they were snapped.

"Conceivably, an app with access to location data could put together a history of where the user has been based on photo location," said David E. Chen, co-founder of iOS developer Curio. "The location history, as well as your photos and videos, could be uploaded to a server. Once the data is off of the iOS device, Apple has virtually no ability to monitor or limit its use." John Casasanta, owner of developer Tap Tap Tap, adds "It's very strange, because Apple is asking for location permission, but really what it is doing is accessing your entire photo library. The message the user is being presented with is very, very unclear."

Apple devices first began allowing full access to the photo library with the 2010 release of iOS 4.0, the report states, explaining the change was intended to make photo apps more efficient. The NYT adds it is unclear whether any iOS apps are illicitly copying user photos. Apple did not respond to a request for comment.

"Apple has a tremendous responsibility as the gatekeeper to the App Store and the apps people put on their phone to police the apps," said David Jacobs, a fellow at the Electronic Privacy Information Center. "Apple and app makers should be making sure people understand what they are consenting to. It is pretty obvious that they aren't doing a good enough job of that."

Citing sources familiar with the situation, The Verge reports Apple will patch the loophole in an upcoming iOS update. Sources also confirmed that the ability to send photos and videos to third-party developers is an error, not an intended feature.

Earlier this month, Apple said it would upgrade its software so that developers can only access users' contact data after receiving explicit permission to do so. Apple made the announcement after iOS app Path came under fire for collecting and storing user contacts.

"Apps that collect or transmit a user's contact data without their prior permission are in violation of our guidelines," Apple spokesman Tom Neumayr told All Things Digital. "We're working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release."

For more:
- read this New York Times article
- read this Verge article

Related articles:
Apple, Google consent to mobile app privacy accord
FTC to Apple, Google: Apps for kids must disclose data privacy practices
Amid privacy uproar, Apple promises to detail app permissions
Lawmaker Markey unveils Mobile Device Privacy Act