Exactly how much data can be extracted from iPhones by apps without explicit user consent has been called into question after it emerged that software granted access to location-finding services can siphon off punters' photos. The extraction of address book information without permission from the user has already raised privacy …
I suppose you could just
have a phone that's a phone and a camera that's a camera and never the twain shall meet, but then I keep forgetting that's horribly old-fashioned and that, if you can't produce your own ill-considered drunken-night-out blackmail material and distribute it planetwide in seconds, you hardly even count as a member of society any more.
Re: I suppose you could just
Slight correction required there. What's "old-fashioned" is the idea of a camera phone with software that was provided by the manufacturer without malicious intent.
To be a member of society, you need a "device" that can run "apps" written by untrusted third parties. This is no different from the web in the 90s or PCs in the 80s and the solution is the one identified in the 60s -- put some security in the OS that allows end-users to control what apps can look at. And if that sounds "too user-unfriendly", then perhaps it is time you regressed to the old-fashioned approach of not running arbitrary shit on the same device that you use for online banking.
Though I'm an old fogey myself, I don't personally care *which* of the alternatives *you* choose. I just wish people would choose and stop being "shocked, shocked I tell you" each time we get a story like this. Trust is what comes out of the top of a security model, not what you blindly put in as the foundation.
Still better than Android
Android apps don't show or request any permission, not even location, to read any photo - or actually any file - stored on the SD card (the default storage location for photos)
Don't get why the media is only targeting iOS over this.
ps - Here's a little Android APK I cooked earlier to show this: http://oron.com/ks4idg9txfru
Check the manifest, no permissions at all.
Re: Still better than Android
You've convinced a few iTards but to convince Android owners your app will have to show more than a black screen.
Re: Re: Still better than Android
A black screen?
Do you have any photos on your SD card?
Re: Still better than Android
Works fine on mine, can swipe left and right between photos.
Source code here
To avoid mudslinging by people like Craigness I've decided to also release the full source code and Eclipse project (it's only single Java file plus a few resources).
Eclipse project zip here: http://oron.com/y0mqvxin621z
This app opens the SD card, finds all image files by looking for known extensions (jpeg, gif, bmp, ...) and displays them. All this without a single permission.
Re: Re: Re: Still better than Android
Yes, I have photos (jpg). Wouldn't have been much of a test otherwise!
Re: Still better than Android
Interesting about Android.
"Don't get why the media is only targeting iOS over this."
That is probably because Apple has marketed itself so well it is the only platform that matter to the media.
I asked if you have photos *on the SD card*, I believe the code - as it stands - will not work on devices without SD cards, e.g. Nexus S or Galaxy Nexus devices.
Failing that have you tried swiping left to change to another picture? Does the menu button work?
It's not a final, polished debugged application, it's a simple proof of concept that works for me as well as others. Now you also have the code to figure why it doesn't for you.
Hehe. Sweet. I *think* the standard permission is to "modify or delete", so I guess *reading* stuff is just a default. Kinda stupid though.
However, a photo viewer alone is no big deal. My secret sex-porn romp photos [*] would still be safe.
Can you up the ante and do something with it still demanding zero special privs? Can it be bounced off a server, perhaps using a nonstandard protocol?
* - hehe, me? This body? Not bloody likely...
+++ath0 seems to have a point...
/mnt/sdcard and all its subdirectories on my Galaxy Nexus look like this -->
drwxrwxr-x root sdcard_rw 2012-02-21 sdcard
That means everybody can read stuff, but only apps belonging to the group sdcard_rw can write stuff.
That would also explain why the image viewer works, and why the corresponding Android permission says "change/delete" and not "read/change/delete".
So Android isn't lying to you, but you might still get the wrong impression. Hmmm. I for one always (wrongly) assumed that apps also need that permission to *read* the SD card.
A chmod doesn't work, looks like the 0775 is hardcoded into the FS driver. I wonder if there's any way to keep untrusted apps away from my files?
I thought the 6310 had some privacy issues with Bluetooth bugs
There weren't any photos to steal then though! I did like the fact the 6310i could last a week (probably 2) on a single charge.
Regarding the iPhone issue I think that location controls were put in after the initial fuss about user tracking and the only reason that the photos are restricted at all is because they are location tagged (or can be).
There are many applications which should legitimately access the photos in the library including photo retouching apps and apps to draw on existing photos but it would be better if the control was like that being introduced on the Mac for file access where an OS provided chooser is brought up to browse and the app should only get access to the selected images. The same should apply for the contacts too. Apple's review process could allow some relevant apps (if there are any) more unrestricted access but require an explanatory dialogue the first time and allow revocation of the permission in the settings as with location data.
A better solution using the 6310
All you need to do is to store a picture of the 6310 on your iPhone. Easy, no?
The one with the iPhone charger, please.
Once an <<Apple fanboi>> grants permission for an iPhone or iPad app ... why the derogative? (soft voice) did somebody hurt you?
Now el Reg, how long till we can filter out the pesky writers?
From the article: "Android users who give permission for an application to modify or delete SD card contents are equally opening up their photograph albums"
This is misleading.
As the permission itself describes it's only meant to control the deletion of modification of SD card contents. Apps that just read the SD card need no permission.
From a dev perspective..
I write iOS photo + video apps, and I have to say this is a colossal balls-up. It works like this:
- I write a photo editor. Of course it needs access to the photo library to work.
- The app asks the OS for library access.
- The user gets a nice pop-up explaining this, and asking for permission.
- Wait, no. It's not asking for permission to access photos. It's asking for permission to use your location, because photos + videos contain location data.
- The user taps "no" thinking the app is dodgy.
- The app can't access the photo library, doesn't work, and gets a 1-star review.
The pop-up does actually mention photos + videos in the small print part, but the big obvious title text says LOCATION. It's confusing as hell for me as a developer, never mind for my customers, and the only solution is to pop-up a warning explaining what the actual permissions popup is really asking for!
Re: From a dev perspective..
Thanks Chris. Does it work the other way around? That is if an app that really does need location information - for example to let you know if you are near a restaurant - does it then also get access to photos?
In other words is it one permission setting for two different things or are there two different permission settings, one of which is badly worded?
Re: From a dev perspective..
I think it's pretty obvious from the text on the dialog, but I get that users are a bit paranoid these days with the media jumping up and down at every slight privacy concern.
Can't you detect that access was denied and explain the issue in the app itself?
Re: Re: From a dev perspective..
The app IS asking ONLY for permission to access location data embedded in media (photos and video). The system wide photo library has always been open to access by Apps since iOS 4 (and I guess before that directly in the filesystem).
Re: From a dev perspective..
It does. The "alert" IS only asking for permission to access location data in photos. The photos themselves have always been open to access.
Who cares if an application wants to access your photo library... what matters is whether it can then send that data somewhere.
How will you know that? The app just needs to send the photos encrypted and no one will figure out what it's sending.
Short of having the source code of all apps I can't see how that can be enforced.
That's what firewalls are for. But people think phones don't need a firewall. My Android phone has a firewall. I block every app that has no business accessing a network or internet.
That's nice in theory, but what if the app - like many apps - has a legitimate reason to connect to the Internet, but then happens to sneak your photos along the way?
Imagine a fancy new social networking app, Muppet+. Obviously you want the app to contact Muppet+'s servers to fetch and send content, but Muppet+ sends along your photos without asking as well.
How does your firewall strategy avoid that?
Actually, on Android, how can you be sure the firewall isn't transmitting your photos - unless you're running an open source firewall which you compiled yourself of course.
"Actually, on Android, how can you be sure the firewall isn't transmitting your photos - unless you're running an open source firewall which you compiled yourself of course."
Anything that can possibly take photos and transmit them is subject to the same concerns unless you have compiled (and understood) all the software yourself.
Absolutely, but most big companies you can successfully sue (e.g. via class action) or at least be compensated if they were ever found doing this. The government itself tends to intervene in those cases.
You can't say the same thing about software developed by a small developer or company with nothing to lose.
VAULT 1 of 2
This is why app developers and Apple and Google et all need to provide VAULTS. The user should be able to invoke vault and non-vault actions so that by default any vaulted photos, contacts, voice recordings, notepad snippets, etc are cordoned off. When the user fires up a photo app, it should display a locked lock and an unlocked lock. The user taps one and from that point the user chooses it to be in effect for the session or the hour or the day or whatever, to guard against ignoring what mode one is in.
When the user is ready to upload, the unlocked items can display on a palette, and the user can swype or stroke or tap or whatever to open the vault and see an encrypted stream between the glass and the local repo. The encryption should change with each item's presentation.
Apple, google, and ms are NOT stupid. That this issue is even being discussed means they did NOT seriously nor adequately have the user's best interest at heart. It's either laziness, or they got standing national security letters to ALWAYS make it possible for SOME weird, obscure way to exist to snag things to make it easier to bypass security of a user who might become a special interest target. Granted, this loophole wouldn't be used as a global scoop of ALL mobile users, but if a bona fide terrorist or assistant to one were found to be using a mobile, there might not be time to secure a new, valid, effective warrant. For certain high-value targets, normal procedures might HAVE to be bypassed.
VAULT 2 of 2
Phone devs and app devs who know better might actually WANT these lax protocols in place just to make their programming and troubleshooting lives easier.
Still, none of this is any excuse to mislead the user. It's probably time to clean the 7GB of photos off my phone and stick that card into my Lumix. Problem is, half of the photos are downloads. Since phone devs sometimes are A$$HOLE$ scraping to save every last penny, or claim to give us a way to know if our phones are physically compromised, they stick the F8king card under the battery. Imagine how convenient it could be for personal security of the user if we could -- via our phones -- fire off or slurp a round of photos and then swap the card among 3 or 4 while we randomly offload the photos, apps, texts, docs, etc to a non-contactable device. No, that would F8ck with snoops and others who think it's their goddamned business to be in OUR devices.
Re: VAULT 2 of 2
Or, they implemented things as you describe, did some usability testing, and found that people not only object strongly to having to click through repetitive security warnings (hello, Vista!), but after awhile the warning does no good as users stop reading them.
Apple should re-word the dialog text, but that's about all that's needed if they want to keep their phone usable. But they'll probably succumb to the "Oh noes!" of people who don't even own an iPhone but like to complain on the net.
Blank Image Tracker...
Suppose this: a nefarious cracker manages to get dodgy code onto a user's phone. The code snaps photos when the phone is in "suspend" mode but first turns off or maybe suspends any flash settings and shutter sounds info, and keeps the activity/transceiving LED and the display state unaltered. The phone then periodically snaps photos and then quickly bursts the meta information but not the black photo. Then, the code deletes the black photo and resets the photo sequence numbers.
Now, that may not be necessary, all that trouble. But, it could serve as a backup way to build a picture of someone's REAL location as opposed to tower-fed info.
Re: Blank Image Tracker...
To whomever or whatever downthumbed me... go read this:
I will now "downthumb" you too, for two reasons:
1 - Down votes happen. Don't make assumptions why, live with it (or even go for a personal best)
2 - downthumbing isn't a verb.
That's the dumbest thing I've heard all week -- and I spent Monday watching Britain's Got Talent.
Re: Re: Downthumbing
I did mention I was going for a personal best (or worst). It takes some doing to lower myself to such depths, but hey, all in the name of science. Or beer.
Film Roll is public
Right from the beginning, the film roll has been the one public folder that all apps can access. Accessing means apps can do more or less anything with the data, including uploading.
In principle, this has been clear since the very first iPhone, hasn't it?
Apart from that, the fact that the iPhone is so restrictive has been a source for complaint from the start.
I think the idea is that a phone (iPhone, Android or whatever) should be a simple device. Do we want to be able to tell the apps what access they get? Read, write, delete, etc. I mean, this week we're talking about uploading. Next week we're be talking about how apps deposit incriminating photos on the film roll and then alert the police...
Re: Film Roll is public
> In principle, this has been clear since the very first iPhone, hasn't it?
No, it hasn't. Has Apple ever said "And all apps can access your photos?" Not that I've ever seen.
"... Apple's approval process, which is pretty tight, if not foolproof."
Where is the proof of this? Apple's approval process is closed. We KNOW (http://www.theregister.co.uk/2012/02/15/apple_rank_hypocrisy_as_privacy_protector/) that it's not foolproof, but Apple doesn't publicly disclose all denials and why they're denied. Nor are app developers looking to snoop likely to admit when Apple has refused approval due to unnecessary snooping. And they're definitely not likely to admit it when a snooping app has been approved.
I'd guess that Apple's approval process is pretty good, but that's a guess and not based on any solid evidence. I'd hope that, as a reporter, you'll have collected such evidence before making such an important conclusion. So can you provide such? Thanks!
".....the problem basically stemmed from a misleading pop-up dialogue, rather than anything inherently bad....."
Great. Now go back and ask these other
drooling fanbois developers how many angels can dance on the head of a pin while they're on a roll.
"i" owners will be oblivious and most not clever enough to contemplate the implications.
If they need an OS that’s that Fugly and Dumbed down, then they can hardly be expected to know what’s happening with their data/phone!