The iOS privacy loophole that’s staring you right in the face

Ever use your iPhone or iPad to access social media while you’re in the bathroom?

Of course you have. But you might not have realized that you were inviting a potential audience to hang out while you’re doing whatever it is you do in there. That’s because once you grant an app access to your camera, it can snap photos and videos without telling you, whenever it wants to (with both the front and rear cameras), upload the content, locate you with image data, run facial recognition on whatever it sees, and record you – all without a green light to indicate what it’s up to.

No LED, no light, no phone clearing its throat in embarrassment – just you and your quiet buddies, the camera-happy apps.

It’s always been this way. We just didn’t notice. Until, that is, Felix Krause pointed it out.

This is what a bad app (Krause imagines a “messaging app or any news-feed-based app”) could get up to by using regular iPhone/iPad camera permissions:

  • Access both the front and rear cameras.
  • Take pictures and record videos any time the app is in the foreground.
  • Find out where you are using the Exif data embedded in images.
  • Upload pictures or videos to the internet.
  • Detect facial features or expressions.
  • Run real-time face recognition.

Krause’s theoretical bad app could abuse its go-ahead-and-use-the-camera-whever-you-like access wherever you use your device: in your bathroom, in the bedroom… or a gym locker room… or the nursery… or the playground… for similar privacy-invading naughtiness.

If any peeping Toms wanted to weaponize this loophole, you can imagine what would result: something like a pocket-sized version of a hacked webcam.

You’ve heard of the creeps who trick women into taking their webcams into the shower? Given that this privacy loophole subtracts the tedious and not 100% guaranteed success rate of the “talking them into it” part of the equation, and bingo! You could wind up with the perfect stalker app.

What’s that, you say? You never grant camera permissions to apps? HA!

Krause points out that if you’re using a messaging service, like Messenger, WhatsApp, Telegram or anything else…

chances are high you already granted permission to access both your image library and your camera. You can check which apps have access to your cameras and photo library by going to Settings > Privacy.

The only sure way to protect yourself is to put tape (or a webcam cover) over your camera lens, he says, just like we all use on our laptop cameras or other webcams (because you do that, right? Hell, even Mark Zuckerberg applies sticky technology!).

Of course, sticky notes can’t protect you from your device’s microphone recording you without letting you know. If an app can use your mic, then guess what?

It can use your mic.

We don’t know of a modern phone that has either a webcam or a mic LED (nor of a laptop with a mic LED), so this is kind of the way of the world, isn’t it?

Well, the app *could* indicate whether it was recording you… though it might not. As always, it depends on who, or what, you trust.

And when it comes to trust, Apple’s iOS apps don’t tend to grab the headlines as much as Google’s Play store apps when it come to misbehaving (Google’s so keen to clean up the Play store malware muck that it’s now paying bug bounties even on third-party apps), but they’re not immune from jerky apps.

Take, for example, the iOS version of AccuWeather: a researcher recently found that it tracks you even when you explicitly tell it not to.

Sure, it’s always been this way, but it reminded Naked Security’s Mark Stockley of Google’s Your Timeline – something that follows you around, painting a very accurate picture of your daily life, typically without people realizing that they’d ever turned it on.

Mark’s musings:

My laptop has a green light. Even Google glass had a light. My phone does not have a light AFAIK but it never occurred to me before.

Or perhaps it’s like Facebook tracking your mouse movements and keystrokes. Sure, I know it can do that because I know how JavaScript works, but does my Dad?

We expect a web page to wait for us to click a button before it grabs the data that we’ve put into a form. But it’s a convention, not an actual feature. Only we don’t know that it’s a convention because our mental model is conditioned by the behavior of all other forms in all other contexts, and the presence of a “submit” button.

By convention apps that take a photo have a button you press to use the camera. Our expectation is that WE control the camera via the app, not that the app controls the camera but elects not to exercise that control until we use the button it’s done us the courtesy of rendering.

If only our phones, and laptop mics for that matter, had hard-wired green lights.

How to keep your camera out of your business

While we wait for our green lights,  it’s easy enough to change the setting as needed. If an app wants the camera when you’ve blocked it, it will remind you but won’t get access until you go into Settings and change it.

Be careful which apps you trust with the camera or microphone, and shut them down (double-press home and swipe them closed) when not using them. Don’t leave them running in the background.

Naked Security’s Paul Ducklin says he tries to close all running apps on his phone – email, Safari, Twitter and so on – before he “airplanes” it for the night. Doing that means he starts each day with an empty process list of apps. “Less is more,” he says.

Another tip from Paul is to regularly review your apps from the Settings page to see which ones have camera and microphone access. For example, only allowing Twitter to access your camera when you’re ready to tweet pics.

This is what your Settings menu would look like:

But in Twitter, it would be set up like this until you’re ready to grant access:

Finally, we’d be remiss if we didn’t note that Paul trusts the free Sophos Mobile Security iOS app to use his camera. (He uses it to read QR codes because it checks the URLs for malware when it scans code.)