Your Private Photos on your iOS Devices? Not so Private After All

Social networking app Path demonstrated a serious flaw in iOS security earlier this month, when it was able to download all of a user’s contacts without notification or agreements. As a result, Congress demanded that Apple reveal how it is handling private information, and Apple promised to deliver a more transparent privacy policy.

Just what do app developers have access to? According to a new investigation into photo and video sharing on iOS by The New York Times, developers are able to gain access to your photos and videos when you click “agree” on that button that gives them the ability to collect location information.

An excerpt from the article:

After a user allows an application on an iPhone, iPad or iPod Touch to have access to location information, the app can copy the user’s entire photo library, without any further notification or warning, according to app developers.

It is unclear whether any apps in Apple’s App Store are actually doing this. Apple says it screens all apps submitted to the store, and presumably it would not authorize an app that clearly copied a person’s photos without good reason. But copying address book data was also against Apple’s rules, and the company let through a number of popular apps that did so.

In order to test whether an app can actually access and download photos, The New York Times hired an iOS developer to create a test application called “PhotoSpy.” The app asked to access location information, and once that was granted, it was able to download photos and their location data to a remote server (this app was not put in the App Store).

“It’s very strange, because Apple is asking for location permission, but really what it is doing is accessing your entire photo library,” said John Casasanta, owner of Tap Tap Tap and creator of the Camera+ app. “The message the user is being presented with is very, very unclear.

I don’t know about you guys, but when I click that button that allows developers to access photo locations, I am not giving them permission to download my entire photo library. That’s unacceptable, and that wording is not included in the agreement.

Sure, Apple may be monitoring how apps use our data (and would, theoretically, reject any app that intended to download user photos), but who knows what can slip through. All those fake Pokemon apps were Apple approved, after all. We need specific, clear permissions so we know exactly what information developers are able to access.

Hopefully this exposé from The New York Times combined with Apple’s intent to create new privacy policies will eliminate the potential problem before unscrupulous app developers begin taking advantage of it. Our private information needs to stay private.

[via The New York Times]

About Juli: Contact me via Twitter: @julipuli

  • jarland

    This is a feature. People want apps to be able to work with the devices, not stand alone unable to communicate with the device’s features or other apps. You also have to balance security and convenience. You can’t very well have the device constantly asking for access to every little thing or the annoyance can drive users to just auto allow or start authorizing without much, if any, thought.

    Also, Apple is actually quite strict about how and why apps access photos. I’m not sure why they were less strict with the address book, but that’s the reality. They will deny an app that has no business accessing the information, and users should always be aware that having a website/service/app doesn’t make you trustworthy.

    There is always room for improvement, but every action has intended and unintended effects.