back to article iPhone photo-slurping loophole sparks app privacy fears

Exactly how much data can be extracted from iPhones by apps without explicit user consent has been called into question after it emerged that software granted access to location-finding services can siphon off punters' photos. The extraction of address book information without permission from the user has already raised …

COMMENTS

This topic is closed for new posts.
  1. Aaron Em

    I suppose you could just

    have a phone that's a phone and a camera that's a camera and never the twain shall meet, but then I keep forgetting that's horribly old-fashioned and that, if you can't produce your own ill-considered drunken-night-out blackmail material and distribute it planetwide in seconds, you hardly even count as a member of society any more.

    1. Ken Hagan Gold badge

      Re: I suppose you could just

      Slight correction required there. What's "old-fashioned" is the idea of a camera phone with software that was provided by the manufacturer without malicious intent.

      To be a member of society, you need a "device" that can run "apps" written by untrusted third parties. This is no different from the web in the 90s or PCs in the 80s and the solution is the one identified in the 60s -- put some security in the OS that allows end-users to control what apps can look at. And if that sounds "too user-unfriendly", then perhaps it is time you regressed to the old-fashioned approach of not running arbitrary shit on the same device that you use for online banking.

      Though I'm an old fogey myself, I don't personally care *which* of the alternatives *you* choose. I just wish people would choose and stop being "shocked, shocked I tell you" each time we get a story like this. Trust is what comes out of the top of a security model, not what you blindly put in as the foundation.

  2. Anonymous Coward
    Anonymous Coward

    Still better than Android

    Android apps don't show or request any permission, not even location, to read any photo - or actually any file - stored on the SD card (the default storage location for photos)

    Don't get why the media is only targeting iOS over this.

    ps - Here's a little Android APK I cooked earlier to show this: http://oron.com/ks4idg9txfru

    Check the manifest, no permissions at all.

    1. Craigness
      Facepalm

      Re: Still better than Android

      You've convinced a few iTards but to convince Android owners your app will have to show more than a black screen.

      1. Anonymous Coward
        WTF?

        Re: Re: Still better than Android

        A black screen?

        Do you have any photos on your SD card?

        1. Anonymous Coward
          Anonymous Coward

          Source code here

          To avoid mudslinging by people like Craigness I've decided to also release the full source code and Eclipse project (it's only single Java file plus a few resources).

          Eclipse project zip here: http://oron.com/y0mqvxin621z

          This app opens the SD card, finds all image files by looking for known extensions (jpeg, gif, bmp, ...) and displays them. All this without a single permission.

        2. Craigness

          Re: Re: Re: Still better than Android

          Yes, I have photos (jpg). Wouldn't have been much of a test otherwise!

          1. Anonymous Coward
            Anonymous Coward

            @Craigness

            I asked if you have photos *on the SD card*, I believe the code - as it stands - will not work on devices without SD cards, e.g. Nexus S or Galaxy Nexus devices.

            Failing that have you tried swiping left to change to another picture? Does the menu button work?

            It's not a final, polished debugged application, it's a simple proof of concept that works for me as well as others. Now you also have the code to figure why it doesn't for you.

            1. heyrick Silver badge

              Re: @Craigness

              Hehe. Sweet. I *think* the standard permission is to "modify or delete", so I guess *reading* stuff is just a default. Kinda stupid though.

              However, a photo viewer alone is no big deal. My secret sex-porn romp photos [*] would still be safe.

              Can you up the ante and do something with it still demanding zero special privs? Can it be bounced off a server, perhaps using a nonstandard protocol?

              * - hehe, me? This body? Not bloody likely...

    2. Anonymous Coward
      Anonymous Coward

      Re: Still better than Android

      Works fine on mine, can swipe left and right between photos.

      Umm.

      1. Swedish Chef
        Meh

        +++ath0 seems to have a point...

        /mnt/sdcard and all its subdirectories on my Galaxy Nexus look like this -->

        drwxrwxr-x root sdcard_rw 2012-02-21 sdcard

        That means everybody can read stuff, but only apps belonging to the group sdcard_rw can write stuff.

        That would also explain why the image viewer works, and why the corresponding Android permission says "change/delete" and not "read/change/delete".

        So Android isn't lying to you, but you might still get the wrong impression. Hmmm. I for one always (wrongly) assumed that apps also need that permission to *read* the SD card.

        A chmod doesn't work, looks like the 0775 is hardcoded into the FS driver. I wonder if there's any way to keep untrusted apps away from my files?

    3. Audrey S. Thackeray

      Re: Still better than Android

      Interesting about Android.

      As to

      "Don't get why the media is only targeting iOS over this."

      That is probably because Apple has marketed itself so well it is the only platform that matter to the media.

  3. Joseph Lord
    Big Brother

    I thought the 6310 had some privacy issues with Bluetooth bugs

    There weren't any photos to steal then though! I did like the fact the 6310i could last a week (probably 2) on a single charge.

    Regarding the iPhone issue I think that location controls were put in after the initial fuss about user tracking and the only reason that the photos are restricted at all is because they are location tagged (or can be).

    There are many applications which should legitimately access the photos in the library including photo retouching apps and apps to draw on existing photos but it would be better if the control was like that being introduced on the Mac for file access where an OS provided chooser is brought up to browse and the app should only get access to the selected images. The same should apply for the contacts too. Apple's review process could allow some relevant apps (if there are any) more unrestricted access but require an explanatory dialogue the first time and allow revocation of the permission in the settings as with location data.

    1. Fred Flintstone Gold badge
      Coat

      A better solution using the 6310

      All you need to do is to store a picture of the 6310 on your iPhone. Easy, no?

      The one with the iPhone charger, please.

  4. Anonymous Coward
    Thumb Down

    that's low

    Once an <<Apple fanboi>> grants permission for an iPhone or iPad app ... why the derogative? (soft voice) did somebody hurt you?

    Now el Reg, how long till we can filter out the pesky writers?

  5. Anonymous Coward
    Anonymous Coward

    From the article: "Android users who give permission for an application to modify or delete SD card contents are equally opening up their photograph albums"

    This is misleading.

    As the permission itself describes it's only meant to control the deletion of modification of SD card contents. Apps that just read the SD card need no permission.

  6. Anonymous Coward
    Anonymous Coward

    From a dev perspective..

    I write iOS photo + video apps, and I have to say this is a colossal balls-up. It works like this:

    - I write a photo editor. Of course it needs access to the photo library to work.

    - The app asks the OS for library access.

    - The user gets a nice pop-up explaining this, and asking for permission.

    - Wait, no. It's not asking for permission to access photos. It's asking for permission to use your location, because photos + videos contain location data.

    - The user taps "no" thinking the app is dodgy.

    - The app can't access the photo library, doesn't work, and gets a 1-star review.

    The pop-up does actually mention photos + videos in the small print part, but the big obvious title text says LOCATION. It's confusing as hell for me as a developer, never mind for my customers, and the only solution is to pop-up a warning explaining what the actual permissions popup is really asking for!

    1. Anonymous Coward
      Anonymous Coward

      Re: From a dev perspective..

      Thanks Chris. Does it work the other way around? That is if an app that really does need location information - for example to let you know if you are near a restaurant - does it then also get access to photos?

      In other words is it one permission setting for two different things or are there two different permission settings, one of which is badly worded?

      1. chadbag

        Re: Re: From a dev perspective..

        The app IS asking ONLY for permission to access location data embedded in media (photos and video). The system wide photo library has always been open to access by Apps since iOS 4 (and I guess before that directly in the filesystem).

    2. Anonymous Coward
      Anonymous Coward

      Re: From a dev perspective..

      I think it's pretty obvious from the text on the dialog, but I get that users are a bit paranoid these days with the media jumping up and down at every slight privacy concern.

      Can't you detect that access was denied and explain the issue in the app itself?

    3. chadbag

      Re: From a dev perspective..

      It does. The "alert" IS only asking for permission to access location data in photos. The photos themselves have always been open to access.

  7. Anonymous Coward
    Anonymous Coward

    Who cares if an application wants to access your photo library... what matters is whether it can then send that data somewhere.

    1. Anonymous Coward
      Anonymous Coward

      How will you know that? The app just needs to send the photos encrypted and no one will figure out what it's sending.

      Short of having the source code of all apps I can't see how that can be enforced.

      1. Anonymous Coward
        Anonymous Coward

        That's what firewalls are for. But people think phones don't need a firewall. My Android phone has a firewall. I block every app that has no business accessing a network or internet.

        1. Anonymous Coward
          Anonymous Coward

          That's nice in theory, but what if the app - like many apps - has a legitimate reason to connect to the Internet, but then happens to sneak your photos along the way?

          Imagine a fancy new social networking app, Muppet+. Obviously you want the app to contact Muppet+'s servers to fetch and send content, but Muppet+ sends along your photos without asking as well.

          How does your firewall strategy avoid that?

          Actually, on Android, how can you be sure the firewall isn't transmitting your photos - unless you're running an open source firewall which you compiled yourself of course.

          1. Audrey S. Thackeray

            "Actually, on Android, how can you be sure the firewall isn't transmitting your photos - unless you're running an open source firewall which you compiled yourself of course."

            Anything that can possibly take photos and transmit them is subject to the same concerns unless you have compiled (and understood) all the software yourself.

            1. Anonymous Coward
              Anonymous Coward

              Absolutely, but most big companies you can successfully sue (e.g. via class action) or at least be compensated if they were ever found doing this. The government itself tends to intervene in those cases.

              You can't say the same thing about software developed by a small developer or company with nothing to lose.

  8. dssf

    VAULT 1 of 2

    This is why app developers and Apple and Google et all need to provide VAULTS. The user should be able to invoke vault and non-vault actions so that by default any vaulted photos, contacts, voice recordings, notepad snippets, etc are cordoned off. When the user fires up a photo app, it should display a locked lock and an unlocked lock. The user taps one and from that point the user chooses it to be in effect for the session or the hour or the day or whatever, to guard against ignoring what mode one is in.

    When the user is ready to upload, the unlocked items can display on a palette, and the user can swype or stroke or tap or whatever to open the vault and see an encrypted stream between the glass and the local repo. The encryption should change with each item's presentation.

    Apple, google, and ms are NOT stupid. That this issue is even being discussed means they did NOT seriously nor adequately have the user's best interest at heart. It's either laziness, or they got standing national security letters to ALWAYS make it possible for SOME weird, obscure way to exist to snag things to make it easier to bypass security of a user who might become a special interest target. Granted, this loophole wouldn't be used as a global scoop of ALL mobile users, but if a bona fide terrorist or assistant to one were found to be using a mobile, there might not be time to secure a new, valid, effective warrant. For certain high-value targets, normal procedures might HAVE to be bypassed.

  9. dssf

    VAULT 2 of 2

    Phone devs and app devs who know better might actually WANT these lax protocols in place just to make their programming and troubleshooting lives easier.

    Still, none of this is any excuse to mislead the user. It's probably time to clean the 7GB of photos off my phone and stick that card into my Lumix. Problem is, half of the photos are downloads. Since phone devs sometimes are A$$HOLE$ scraping to save every last penny, or claim to give us a way to know if our phones are physically compromised, they stick the F8king card under the battery. Imagine how convenient it could be for personal security of the user if we could -- via our phones -- fire off or slurp a round of photos and then swap the card among 3 or 4 while we randomly offload the photos, apps, texts, docs, etc to a non-contactable device. No, that would F8ck with snoops and others who think it's their goddamned business to be in OUR devices.

    1. MD Rackham

      Re: VAULT 2 of 2

      Or, they implemented things as you describe, did some usability testing, and found that people not only object strongly to having to click through repetitive security warnings (hello, Vista!), but after awhile the warning does no good as users stop reading them.

      Apple should re-word the dialog text, but that's about all that's needed if they want to keep their phone usable. But they'll probably succumb to the "Oh noes!" of people who don't even own an iPhone but like to complain on the net.

  10. dssf

    Blank Image Tracker...

    Suppose this: a nefarious cracker manages to get dodgy code onto a user's phone. The code snaps photos when the phone is in "suspend" mode but first turns off or maybe suspends any flash settings and shutter sounds info, and keeps the activity/transceiving LED and the display state unaltered. The phone then periodically snaps photos and then quickly bursts the meta information but not the black photo. Then, the code deletes the black photo and resets the photo sequence numbers.

    Now, that may not be necessary, all that trouble. But, it could serve as a backup way to build a picture of someone's REAL location as opposed to tower-fed info.

    Scary? Yes/no?

    1. dssf

      Re: Blank Image Tracker...

      To whomever or whatever downthumbed me... go read this:

      http://www.theregister.co.uk/2012/02/29/moores_law_gsm_hacking/

      and:

      http://www.codeproject.com/Articles/187169/Creating-an-APRS-Tracker-Automated-Camera-with-an

      and:

      http://www.brickhousesecurity.com/catch-a-cheater.html

      1. Anonymous Coward
        Anonymous Coward

        Downthumbing

        I will now "downthumb" you too, for two reasons:

        1 - Down votes happen. Don't make assumptions why, live with it (or even go for a personal best)

        2 - downthumbing isn't a verb.

        So there.

        1. Aaron Em

          Re: Downthumbing

          That's the dumbest thing I've heard all week -- and I spent Monday watching Britain's Got Talent.

          1. Anonymous Coward
            Anonymous Coward

            Re: Re: Downthumbing

            I did mention I was going for a personal best (or worst). It takes some doing to lower myself to such depths, but hey, all in the name of science. Or beer.

  11. Anonymous Coward
    Anonymous Coward

    Film Roll is public

    Right from the beginning, the film roll has been the one public folder that all apps can access. Accessing means apps can do more or less anything with the data, including uploading.

    In principle, this has been clear since the very first iPhone, hasn't it?

    Apart from that, the fact that the iPhone is so restrictive has been a source for complaint from the start.

    I think the idea is that a phone (iPhone, Android or whatever) should be a simple device. Do we want to be able to tell the apps what access they get? Read, write, delete, etc. I mean, this week we're talking about uploading. Next week we're be talking about how apps deposit incriminating photos on the film roll and then alert the police...

    1. Alan_Peery

      Re: Film Roll is public

      > In principle, this has been clear since the very first iPhone, hasn't it?

      No, it hasn't. Has Apple ever said "And all apps can access your photos?" Not that I've ever seen.

  12. This post has been deleted by its author

  13. Steve Knox
    Boffin

    [Citation Needed]

    "... Apple's approval process, which is pretty tight, if not foolproof."

    Where is the proof of this? Apple's approval process is closed. We KNOW (http://www.theregister.co.uk/2012/02/15/apple_rank_hypocrisy_as_privacy_protector/) that it's not foolproof, but Apple doesn't publicly disclose all denials and why they're denied. Nor are app developers looking to snoop likely to admit when Apple has refused approval due to unnecessary snooping. And they're definitely not likely to admit it when a snooping app has been approved.

    I'd guess that Apple's approval process is pretty good, but that's a guess and not based on any solid evidence. I'd hope that, as a reporter, you'll have collected such evidence before making such an important conclusion. So can you provide such? Thanks!

  14. TeeCee Gold badge
    Facepalm

    Oh yeah?

    ".....the problem basically stemmed from a misleading pop-up dialogue, rather than anything inherently bad....."

    Great. Now go back and ask these other drooling fanbois developers how many angels can dance on the head of a pin while they're on a roll.

  15. Anonymous Coward
    Anonymous Coward

    "i" owners will be oblivious and most not clever enough to contemplate the implications.

    If they need an OS that’s that Fugly and Dumbed down, then they can hardly be expected to know what’s happening with their data/phone!

This topic is closed for new posts.

Other stories you might like