Sharing photos on Facebook should be easy. Automatically sharing your entire photo collection unknowingly with app developers should be impossible, but it isn’t.
A recently exposed loophole in the iPhone, iPad and iPod Touch reveals that app developers can easily download a device’s entire photo collections by asking the user to disclose her location, the New York Times reported. Once a user allows an application to access their location, the app can download the entire photo library, without any further notification.
The news comes shortly after reports that some apps had accessed users address books without their knowledge.
It remains unclear if any apps are illicitly using users photos, and photo copying is not specifically forbidden by Apple, though downloading a user’s address book is. Apple is supposed to screen all apps submitted to its store, but had approved numerous apps that collected address book information despite it being against the rules.
Apple’s devices ask the user for permission to access location upon first use, with a pop up message stating approval “allows access to location information in photos and videos.” Saved photos and videos typically include the coordinates of the location they’ve been taken, which could potentially put users at risk if app developers trend towards the dark side. The data could be used to piece together where the user has been based on this location.
Apple devices first allowed full access to the photo library in 2010 with the release of the fourth version of iOS in order to make photo apps more efficient.
The New York Times even worked with a developer to create a test app, PhotoSpy, which could siphon photos and location to a remote server once permission had been given to access location data. Don’t expect to see it in Apple’s app store anytime soon.
As for the rest of the apps in the store, however, who knows? One would think Apple would have guarded against this, but that’s the trouble with thinking. It assumes common sense is common. Apple’s vulnerabilities reveal much more beneath surface. If address books and honeymoon photos can be accessed by any developing geek, what’s next up for grabs?