back to article iOS apps can read metadata revealing users' location histories

In what looks like an Apple oversight, a developer has discovered that apps can access image metadata and therefore a pretty good history of iThing users' location. Felix Krause, founder of Fastlane.Tools, reported the issue here and explains that “If an app gets permission to access the image library, it will get full access …

  1. Gene Cash Silver badge

    Android too?

    Android stores the camera pictures on the usually-unsecured "sdcard" area... and it has EXIF parsing too. I'd think it's just as vulnerable.

    You can usually turn off geolocation storage in the camera app, but I don't know how many people do that.

    1. Anonymous Coward
      Anonymous Coward

      Re: Android too?

      You can usually turn off geolocation storage in the camera app, but I don't know how many people do that.

      I do. And I run exiftool -all= with some extra copyright and comment tags over any image before it leaves the door. That way it contains the minimum I want in there, and if I really don't trust the recipient it'll get visible watermarks too.

    2. DropBear Silver badge

      Re: Android too?

      I do too. Geotagging is always off - only "date taken" remains, and I typically add EXIF GPS info later on my desktop, manually, via Geosetter (including IPTC location name tags, which the automatic reverse geo lookup invariably gets wrong...)

    3. Anonymous Cowerd

      Re: Android too?

      I also disabled geolocation, on my iPhone.

      When I post a picture of the very nice fish that I caught, I don't want to give away the position of the mark!

    4. Anonymous Coward
      Anonymous Coward

      Re: Android too?

      All my Android devices, the camera defaulted location recording to off, and asked me if I wanted to turn it on. Sony, Nexus and Samsung devices were all defaulted to off out the box.

      I turned them on, as I value location data and I'm not a terrorist/having and affair/or doing anything else illegal/immoral...

      1. gudguy1a

        Re: Android too? - Terrorist, no.... okay.

        "I turned them on, as I value location data and I'm not a terrorist/having and affair/or doing anything else illegal/immoral..."

        --- I like that, a bit of humour for the day. That aside, you should still be cautious. In role my work role, we use that kind of info to track folks. But on the flip side, there are those malicious As_ _ oles out there who use that location data to target you for any nice valuables you might have at home, nicely framed in your photo, with the geolocation info turned on... be careful.

    5. Dr Mantis Toboggan
      FAIL

      Re: Android too?

      No, location recording is optional and defaulting to off on every Android device I have come across.

  2. Lysenko

    EXIF data is written into the header of the JPG so it is obvious that anything that can access the file is going to be able to read the metadata. If I encountered a camera or slideshow app that *couldn't* parse that information I would probably report it as a bug. If the OS interdicts the file read operation to block metadata, how are you supposed to back anything up?

    This "security flaw" is equivalent to complaining that an app which can view your photos might apply facial recognition and determine that the girl you've got your arm around isn't your wife (<cough>FarceBorg</cough>) or that the date stamp of you snorkelling in Bali corresponds with your recent "sick leave".

    In other phone privacy related non-news: Truecaller may display the identity of your favourite intimate massage therapists even if you added them to your contacts list as "emergency plumbers".

    1. Anonymous Coward
      Anonymous Coward

      The OS could allow apps access to temporary copies of the files that have the EXIF information blanked, unless you choose to allow the app "photo metadata" permissions - that's what you'd use for something backing up photos or copying them off the device.

      Sounds like iOS and likely Android both will need to do some tweaking in how they handle photos, as this would reveal a LOT of information about those who take a lot of pictures.

      1. Lysenko

        Sure, it could - just like it could use StreetView type object detection to blur out faces and number plates. Who is in the photo is surely just as privacy sensitive as where it was taken? (oh, and "when" - blank the file timestamp while you're at it).

        I don't buy it. For one thing, excess security granularity inevitably leads to complexity, frustration, mistakes and worse overall security (see routine AWS blunders) and more generally the function of the kernel is to supply data to userland for processing, it should not be meddling with file content. If you don't want EXIF data in your photos then switch it off just like any other image capture setting.

      2. Charles 9 Silver badge

        "The OS could allow apps access to temporary copies of the files that have the EXIF information blanked, unless you choose to allow the app "photo metadata" permissions - that's what you'd use for something backing up photos or copying them off the device."

        How would it know to do that, especially if the app accesses the photos as files rather than as images? If you say it's the OS's responsibility to look for things like magic numbers, that defeats the minimalist approach and can introduce possible exploits by doing a Confused Deputy.

        1. DropBear Silver badge

          "How would it know to do that, especially if the app accesses the photos as files rather than as images?"

          That's just it - no app should access files other than its own unless it's generally meant to handle files or receives access to open certain files directly. An app that just needs access to photos should just receive a string of small image thumbnails (then the selected image in full resolution, if any) from the OS unless it also gets granted access to metadata. To be honest, it's already _hella annoying_ that any app is simply supposed to be able to access _everything_ on the SD...

          1. Charles 9 Silver badge

            "That's just it - no app should access files other than its own unless it's generally meant to handle files or receives access to open certain files directly."

            Which kind of defeats the purpose of thngs like Gallery apps, which are DESIGNED to go through your storage for pictures and so on. Comes with the territory. And again, your thumbnail idea will just become another potential avenue for a Confused Deputy attack.

            1. Anonymous Coward
              Anonymous Coward

              Accessing as files

              That assumes that iOS apps are accessing files directly when given access to photos, as opposed to get a handle to some sort of object or stream. Any iOS devs out there who can comment? Since iOS doesn't allow the end user direct filesystem access, I figure apps probably don't get it either. Thus it wouldn't be that hard for them to fix.

              If Android apps are getting access to the files themselves when they access photos, this fix wouldn't be possible there. They'd need to create some sort of virtual filesystem to do this. Maybe it is possible with FUSE, though I haven't really look at its capabilities so I don't know for sure.

              While I get the "if you don't want EXIF data exposed, disable it" sentiment the problem is that it is highly useful to have it for yourself. It shouldn't be a decision between giving up the convenience of having that data attached to your photos, and making it available for apps that have photo access to get it too. For instance, if you upload a photo to Facebook, it is a safe bet they're collecting the attached EXIF data for their own use of feeding their advertising monster, even though it is erased before it is posted to Facebook for the world to see. It would be an interesting experiment to start accessing FB through a VPN, upload a bunch of photos with EXIF data altered to they were taken in Switzerland in the past 48 hours, and see if I start getting shown ads for things to do in Zurich.

              1. ThomH

                Re: Accessing as files @DougS

                It's a metadata interface, with the metadata currently including location*. The actual file might not even be on the device — it might be in the user's cross-device photo stream, in which case metadata could be the full extent of the device's knowledge. You have to issue an asynchronous request that may involve a network access if you want to work with image contents.

                * and dimensions, duration if a video, creation and modification dates, and whether it's a favourite.

              2. Lysenko

                Re: Accessing as files

                That assumes that iOS apps are accessing files directly when given access to photos, as opposed to get a handle to some sort of object or stream.

                All (modern) operating systems work that way. Accessing files "directly" doesn't even make sense since a file is an operating system construct representing a number of (likely non contiguous) disk blocks. To open and copy a JPG in iOS you do something like this:

                if let image = UIImage(named: "photo.jpg") {

                if let jpg = UIImageJPEGRepresentation(image, 1.0) {

                try? jpg.write(to: "photo_backup.jpg")

                }

                }

                "image" is a byte stream with the abstract image file contents and "jpg" is the same byte stream wrapped in a JPEG compander. As you can see, it takes one parameter specifying compression level. What you're suggesting is making UIImageJPEGRepresentation suppress the EXIF component based on some global setting, but that's not going to stop a nefarious app parsing "image" directly so you're going to have to shift the code down to UIImage and start parsing content inside APIs that were intended only to marshal byte buffers. But it's worse. They could still do this:

                let folder = try? FileManager.default.url(for: .documentDirectory,in: .userDomainMask, appropriateFor: nil, create: true)

                if let rawJPGData = folder?.appendingPathComponent("photo").appendingPathExtension("jpg") {

                // Decode and snaffle the EXIF

                }

                That bypasses the image subsystem entirely and treats the file as an undifferentiated byte sequence. Suddenly we need to move speculative JPG/EXIF sniffing and suppression to every I/O operation.

                There are various steps Cupertino could take with equally varied backward compatibility and performance side effects. A simple example of the former is that a hash of the file as written to disk won't match the verification check once it is read into memory (because the OS altered it) so a robust application (read back after write) will flag all JPG I/O as corrupt, and the performance implications of checking every file read for a potential JPG header are obvious.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Accessing as files

                  What I meant was accessing the same bits that filesystem contains for that file, so the EXIF data would come along for the ride. If presented as a data structure, then the EXIF data could be zeroed (pointer = NULL) for the sensitive structures like location, date, etc. I certainly wasn't talking about reading the raw disk like your reply assumed.

                  1. Lysenko

                    Re: Accessing as files

                    JPG files are byte streams and the EXIF data is part of the header. You can read that into memory as a structured object, but that isn't how it is stored (i.e. it isn't a structured storage document like a .DOC file).

                    You would have to adjust API so that the only way to open a JPG was via UIImageJPEGRepresentation which would break just about every file handling app in existence (including cloud storage) and probably most imaging apps too. It also fails to address checksum mismatch and would strip EXIF data from all image files (not just your own) which might actually be illegal in some jurisdictions, depending upon the terms of use of the image (i.e. you might be stripping out someones copyright notice).

    2. Jason Bloomberg Silver badge

      The challenge seems to be in allowing apps access to photos just as a person would their friends; which photos a particular friend will be allowed to see, and which they may turn over to see what's written on the back.

      Other than an 'all or nothing' policy that can get quite complicated quite quickly.

      The easiest solution may be to have separate albums each with their own access permissions and virtual albums which can hold photos from any albums with each retaining the permissions of the source album.

      That of course does mean extra work in ensuring photos go to the correct permissions album, creating those virtual albums and keeping them updated.

      1. Charles 9 Silver badge

        "The easiest solution may be to have separate albums each with their own access permissions and virtual albums which can hold photos from any albums with each retaining the permissions of the source album."

        And if you want to CHANGE the permissions? Say give one friend access to one particular album but another friend access to a different one, each of which could hold a mix and match that has different contexts? At least offer an option to override if you're going to do this.

  3. Anonymous Coward
    Anonymous Coward

    Turn off GPS on the phone.

    Problem solved.

    1. Anonymous Coward
      Anonymous Coward

      Re: Turn off GPS on the phone.

      "Huawei - Building A Better Connected World".... Huawei Dual SIM phones force re-enable GPS slurp on the primary SIM... Is it the fault of the Telco or Huawei? Its not clear, but in short, not all Phones / Android OS versions permit complete GPS shut-off...

      1. Fred Flintstone Gold badge

        Re: Turn off GPS on the phone.

        Can't speak for Android, but killing GPS data for images has been around for a *long* time in iOS. I still have a 3GS here with iOS 6.1.6 which already contained that switch (just checked :) ).

  4. tiggity Silver badge

    stupid

    EXIF data should be accessible if you gave an app permission...

    I have software that specifically uses that (lets me sort images via location / gives location info), very useful when wildlife surveying an area as just take photo of plant / animal and (assuming GPS & EXIF enabled) and you have accurate location data for later use.

    So I can send a message to local wildlife recorder and say, I refound species x in this area that has not been seen for 10 years (giving exact lat / long from photo to save them bother of extracting it, but also sending photo as proof). A bit niche usage, but plenty of reasons to want to access location data (even just mundane stuff such as sorting images by location instead of date)

  5. rmason

    "an oversight by Apple"

    Oversight. Don't make me laugh.

  6. MickyMc

    Mobile Tracking Device

    Having had an iPhone 4S and just moved to an iPhone SE, I was amused when I got in the car to find Google Traffic and Google Maps Destinations flagging up information about my impending trip to work!

    I have never logged into my Google profile on my iPhone and never set my home or various workplace addresses in my phone; Google Maps does have access to GPS as I use it for navigation, and has clearly been logging my arrival and departure times and geo-location information.

    To be honest I have always regarded a mobile phone as part tracking device and part useful tool, so it comes as no great surprise that all of this info is slurped up by Google, Apple and whoever else.

    1. Anonymous Coward
      Anonymous Coward

      Re: Mobile Tracking Device

      iOS gives you a reasonable control over it, but it's a decision only you as a user can take: do you want a device tracking you but store it locally and not share it with the manufacturer so that it can predict what you're doing and help, do you want it to share with a 3rd party provider so they can, for instance, detect traffic jams and direct you around it, or do you prefer to prevent the whole data collection and analysis?

      I don't like being tracked, but I accept, for instance, that the TomTom app does that so it can pick up traffic data and, at at the same time, helps TomTom with one component of their traffic jam detection system. It's a trade-off I'm accepting. However, if I take a picture I don't like geo data in it, so that's disabled in my phone.

      I prefer devices that allow you to make those choices - they are yours to make, not the manufacturer or 3rd party provider. It's not an as binary decision as some make it out to be.

      1. TRT Silver badge

        Re: Mobile Tracking Device

        I find iOS's preemptive calendar journey reminders to be a bit bizarre. Firstly, they don't happen for everything, just some times. And secondly, I tied our room booking system in to a set of Google calendars as a convenience and a back up. But even though the primary calendar which gets a copy of everything is hidden, I still get the odd reminder telling me that I need to set off now, walking (at 3am to get the first train from the junction station about 3 miles away) in order to be at work in time for Dr Chin's tissue culture room booking at 7am.

        1. Anonymous Coward
          Anonymous Coward

          Re: Mobile Tracking Device

          I find iOS's preemptive calendar journey reminders to be a bit bizarre.

          Thankfully they made it so that you can disable it. I appreciate the idea, but, like you, I have found it less than perfect so I tend to do that manually.

          The only journey related thing I use is the reminder feature which you can set so it reminds you when you approach or leave a location. Good for things to pick up when you leave work or home or come near a specific shop. That means I must allow it to track me, but that location data is purely local (caveat: as far as I know, of course).

          1. MickyMc

            Re: Mobile Tracking Device

            Its always a trade off if I set the Google Maps to only track my position when I use the app then I have to turn it on when I need to use it in a hurry.

            I hadn't noticed that destinations feature was iOS until I the other messages. I never use it, but apparently it not only knows where I live and work but also where I last parked my car. The Apple mapping software doesn't seem to afford you the luxury of disabling it.

            Perhaps if it know all of this information about me it can order me a curry tonight :)

  7. Lee D Silver badge

    Feature-creep caused by overly-open permissions on basic apps.

    No, the camera app doesn't need GPS or location permissions. If a user chooses to add it, they will add it to every photo, by default, forever. And there's no easy way to remove it from all those photos, or strip it when it gets uploaded to other apps / website that don't also have location permissions.

    Sure, it's as much "the camera app put the location into the image file" as it is "apps given photo access can read the location", but the problem is still creeping into ever-more permissions for the most basic of apps.

    There is no substitute for fine-grained access control permissions.

    1. Charles 9 Silver badge

      There MUST, or you get switchboard anxiety, aka "too many options".

  8. ecarlseen

    A universal problem

    As noted, pretty much every phone puts GPS info into the EXIF headers in JPEG images (and presumably the next-generation HEIF format as well) by default. So do many modern cameras. Generally speaking, it's an incredibly useful feature that lets you organize your photos by where they were taken.

    The problem is really that the overwhelming majority of people don't understand that this is a thing, and most people give apps access to photos with little thought. One good thing is that many social media platforms like Facebook strip this information out of images when you post them (after saving it for themselves), so at least people downloading your photos can't get at it.

    On a device OS level it would be straight-foward to strip certain EXIF headers from an image file before presenting them to an app, but this would mean either duplicating the file (potentially problematic from a storage standpoint if the file is used persistently) or removing the data from the original (in which case legitimate use of that information is also lost).

    1. Anonymous Coward
      Anonymous Coward

      Re: A universal problem

      One good thing is that many social media platforms like Facebook strip this information out of images when you post them (after saving it for themselves), so at least people downloading your photos can't get at it.

      That has its own problems, because Facebook strips out too much: they also nuke the "copyright" tag data. That is tampering with a copyright notice, which is in the US a criminal offence fined at something like $2k per instance.

      That strikes me as a class action waiting to happen (the problem is proving intent, though).

  9. Yilia

    To be frank, it sounds frightening, which means our privacy information will leaked easily. How about sharing an interesting picture to my friends from my iOS? Can they download it and recognize the EXIF information? I know one thing from other reply that Facebook can strip this information out of images, which is pretty good. Now, there are more image file converters in market, which can convert JPG to TIFF, PNG to JPG, HEIC to JPG, etc, like Joyoshare HEIC Converter. Some of them is designed with multiple functions. But luckily, only JPG comes with EXIF info while other common formats without.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020