back to article FYI: iOS apps can turn on your camera any time without warning

A top iOS security researcher has uncovered yet another privacy loophole in Apple's mobile firmware. Felix Krause, founder of Fastlane.Tools, said the way Apple's software handles camera access and recording is leaving many fans vulnerable to being spied on by apps on their gadgets without any notification or warning. Krause …

  1. David Shaw
    WTF?

    Great, so my new Samsung Galaxy ‘X’, if I can afford it, will have colorful post-it notes back and front!

    Have you all tried the iOS11 calculator trick yet?, seeing how quickly you can use Calculator to add 1+2+3, and just how big the answer can be?

    Applesauce

    1. Dan 55 Silver badge

      Buy a webcam cover (just like we used to have in the olden days) if tape isn't your thing?

    2. Steve the Cynic Silver badge

      "Have you all tried the iOS11 calculator trick yet?, seeing how quickly you can use Calculator to add 1+2+3, and just how big the answer can be?"

      With apologies to the Winsock Lame List(1):

      Mired in a sweaty mass of lameness

      (1) https://tangentsoft.net/wskfaq/articles/lame-list.html

  2. Anonymous Coward
    Anonymous Coward

    "such as a piece of tape or sticky note"

    Unless they become the must have fashion accessory it's not going to happen.

    I'm not worried about the camera, feel free to have a picture of my ceiling, it's the microphone I worry about as I don't want anyone hearing me grunt like a female tennis player come the money shot.

    1. Anonymous Coward
      Anonymous Coward

      That could be the perfect time to activate Siri, though.

      :)

  3. Anonymous Coward
    Anonymous Coward

    Apple

    The retail arm of the NSA

    1. CustardGannet
      Black Helicopters

      Re: Apple

      Man, it looks like the NSA trolls (or Apple fanbois) have been out in force on this comments section. Downvotes all round for anyone criticising our new electronic overlords !

  4. Tom 64
    Windows

    Trouble is,

    both apple and their customers stick their fingers in their ears and scream 'LA LA LA, CANT HEAR YOU' whenever anyone mentions security issues with their kit.

  5. This post has been deleted by its author

  6. Anonymous Coward
    Anonymous Coward

    Couldn't that facile argument be made for every setting?

    "I turned on global roaming I just wanted to check <x> and didn't turn it off, it stayed on for 2 weeks and my phone bill was...."

    1. Mike 16 Silver badge

      stayed on for 2 weeks and my phone bill was...."

      Doesn't take two weeks. Back in the early 1970s a classmate called his brother in Belgium (I have no idea why his brother chose Belgium for his year abroad, but there it is), talked for a while, then both left their phones off hook as they went about their days, chatting again on and off. After 24 hours and a few minutes, they hung up. When the bill came, originating brother (in California) protested to The Phone Company that this was clearly a fault in their billing system as "Who would call Belgium for a whole day?". He agreed that he had made a "few minute" call, but not recall precisely how long. They removed the entire charge and I assume had some poor technician fruitlessly chasing down the "real cause".

      All of which has nothing to do with mobile cameras, but as an illustration that "weird stuff happens" (sometimes on purpose), and has been for many years. If you have ever lent out a physical key to anybody, you should assume they made a copy and act appropriately (which may mean just get on with life) Your (and only your) task is to decide what is appropriate. (I use a camera-less flip phone with a removable battery, but that's me)

  7. JohnMurray

    I hope they see something interesting on mine....

    Otherwise... #boring

    Shit...it's in a wallet!

  8. Bob Vistakin
    Facepalm

    Just needs better AI

    Same applies to Android.

    Yes you can use my camera, but only when I want you to.

    Oh, and some mind reading ability would be required too.

    1. DropBear Silver badge

      Re: Just needs better AI

      Hardware switches physically cutting power to the camera (/ mic preamp / whatever) would easily fix this, they should be widespread by now. If you're concerned with the "user experience", make them three-positioned: "off", "on" and "auto"...

  9. Anonymous Coward
    Anonymous Coward

    "Hardware switches"

    How 19th century.

    1. Uffish

      Re: 19th Century switches

      Ah, the good old spst switch, probably even older than 19th century and there is nothing better for it's intended purpose. Fashion-loving fanbois just don't understand the real world.

  10. DougS Silver badge

    Maybe they need a new permissions category

    Well first of all this is sort of theoretical. Apple reviews apps before they hit the app store, and while that process most certainly isn't 100% they do reportedly look at the APIs being accessed so an app that was supposedly only accessing your photo library for an avatar on a message board turned out to be using the video camera API it'll probably get flagged and rejected. Even if something gets through, if an app is being actively evil like taking pictures of people without permission Apple can disable it on everyone's phones (pretty sure Google can do this as well, and actually did it for at least one app in the past)

    Anyway, one possible solution is that they could separate the permissions for the camera from permissions for accessing your photo library, so an app that only needed to grab a photo couldn't take pictures. But that still leaves the possibility that once it has that permission which you only gave it to access one photo it could download all of them. Depending on what sort of photos you have taken or saved on your phone, that might be even worse than accessing your camera.

    Instead of making permissions either off or on - which "on" being permanent until you turn it off again maybe add a third option to approve just a specific access. So if an app needs to access your camera (like the app I use to check lottery tickets which uses the camera to look at the QR code and tell me if it was a winner or not) then I could approve it just that one time. Maybe it would remember that setting for a few minutes, in case I wanted to check another ticket, or in a different app if you wanted to access multiple photos from your library.

    Finally, this isn't exactly unique to iOS. I don't know if Android would have the same issue, but I'm guessing so. But far worse is Windows - there is no per application permission for the camera. That's why so many people disable the camera in their BIOS, or put tape over it. Even if you don't have any applications doing bad stuff, you could always get malware that does. A PC that takes pictures/video while unattended may be even worse than a phone, if you leave the lid up. Depending on where it is left, it could record kids getting undressed, sleeping, or whatever. But yeah, let's ignore Windows and worry about phones that at least try to do the right thing by having permissions, but just don't quite go far enough...

  11. Annihilator

    Live view?

    While it’s true you normally give all-time permission, is it not the case that when the camera is active, there is always some live view on the screen?

  12. Timmy B Silver badge

    Permissions Changes

    It's kind of obvious - make the permissions to use a particular part of the phone "Yes, every time", "No, never" and "Ask each time". Or even add an "Ask me every x days" options. It's not a whole load different and far more flexible.

  13. Mark 65 Silver badge

    Question

    Surely this only applies if the app is running? Keep track of what has access to the camera - if it is for avatars then create and remove privilege - and make sure you don't allow apps to stay live if you don't trust them. For those who might add that "for Skype/<insert comms app here> it needs to be running to field calls" I would say there's a price to be paid for convenience so make sure you're ok with that.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019