Apple is under fire after developers discovered that a location feature in iPhone and iPad apps may actually give app developers full access to users' photos without any notification.
In the New York Times Bits blog, Nick Bilton explained that after an iPhone, iPad or iPod Touch user grants an app permission to access their location information, the app can, without any warning, copy the user's entire photo library and upload it to a remote server. The loophole, Bilton said, was likely introduced in 2010 with Apple's release of iOS 4.0.
It's unclear if any official Apple apps are copying user photos, Bilton said. Still, the possibility worries experts.
Your photo privacy at stake
David E. Chen, co-founder of the app development company Curio, told Bilton this loophole gives app developers an unwarranted and uncomfortable amount of information about those who download their apps.
"Conceivably, an app with access to location data could put together a history of where the user has been based on photo location," Chen said. "The location history, as well as your photos and videos, could be uploaded to a server."
Once that occurs, Chen said it becomes nearly impossible to know how this siphoned data is being used.
"Once the data is off the iOS device, Apple has virtually no ability to monitor or limit its use."
Apple did not respond to a request by SecurityNewsDaily for comment. Joshua Topolsky from the tech website The Verge said he spoke to a source familiar with the issue who said Apple is aware of the loophole and is likely planning a fix with the next release of iOS.
Another developer, John Casasanta, owner of Tap Tap Tap, said this glitch casts Apple, and specifically, its stance on privacy, in a bad light.
"It's very strange, because Apple is asking for location permission, but really what it is doing is accessing your entire photo library," Casasanta told the New York Times. "The message the user is being presented with is very, very unclear."
(Casasanta's company is behind Camera+, an immensely popular app that, ironically, was spoofed in late January when a rogue developer snuck a fake version of the app into the App Store. After a blogger alerted Apple, Apple quickly removed the fake Camera+ app.)
To verify the security glitch, Bilton asked an unnamed developer to create a proof-of-concept app that, upon receiving permission to access location data, could harvest an iPhone user's photos. The developer created PhotoSpy, which did just that, stealing photos and sending them, as well as their location data, to a remote server. (PhotoSpy was only built as a test app, and not submitted to the App Store.)
The iPad 3
This app risk has drawn particular attention because of yesterday's announcement about Apple's March 7 press conference, where it's expected the company will unveil the new iPad 3.
And, as with any major announcement, especially one as noteworthy as a new Apple gadget, scammers have come out of the woodwork to feed on the public's overwhelming interest and excitement.
Graham Cluley from the security firm Sophos wrote in a company blog that even though the iPad 3 doesn't exist yet, Twitter and Facebook scams have already sprung up offering free iPad 3s.
"Chances are that we will see Apple announce an iPad 3 very soon," Cluley wrote. "But don't be duped into believing there's an easy way to get one for free."