After the recent uprising over the way that applications were handling your contact information, it only stands to reason that any existing skeletons would be swept out of the closet as well. The latest bit of information to come to light is the fact that, if an app is given permission to access a user’s location, it can also access — and upload — the entirety of that user’s photo library, reports The New York Times.
The Times’ Nick Bilton looked into the issue a bit deeper and polled a few developers for more information. One anonymous developer even created an application called ‘PhotoSpy’ (which was not posted on the App Store) that used this location permission to upload the photos from the Camera roll of an iPhone.
The New York Times asked a developer, who asked not to be named because he worked for a popular app maker and did not want to involve his employer, to create a test application that pulled this information from an iPhone. When the “PhotoSpy” app was started up, it asked for access to location data. Once this was granted, it began siphoning photos and their location data to a remote server. (The app was not submitted to the App Store.)
Knowledge that this was possible has been around for some time in development circles, and the developers that I asked about the bug were largely familiar with it. Ostensibly, an application that requested access to a user’s location is being given access to the photo library due to its use of the geolocation feature, which embeds a location in a photograph.
Note that a user would have to opt-in to sharing location data information with the app before it was given access to the library. Still, the message to the user does not make it clear that their photos will be shared. Developer Benjamin Mayo actually Tweeted about this handling of Camera Roll access a couple of weeks ago, and I marked it but was unsurprised, as it is fairly well known in development circles.
Why this is necessary for all location-based apps is the real question here. The publication found no evidence that any app on the App Store was actually using the access to access and upload photos.
This isn’t necessarily a loophole, as the article puts it. Instead, it seems to be an intended permission given to location-based apps. Access to the photo library was first given in iOS 4, and the developers that the Times interviewed are mostly confused by why there is so much access given, rather than surprised at a perceived bug or ‘loophole’.
“It’s very strange, because Apple is asking for location permission, but really what it is doing is accessing your entire photo library,” John Casasanta, of Tap Tap Tap, makers of Camera+ told the Times. “The message the user is being presented with is very, very unclear.”
This is yet another issue that bears closer scrutiny when it comes to the permissions that Apple gives to applications with regards to how they access users’ private data. There is a definite responsibility by developers to do that responsibly, to be sure. But the onus is also on Apple to set up rules that govern this usage carefully..
To this end, Apple recently agreed to be more up-front about how much access apps have to your private data in response to a request by the California Attorney General.