iPhone Apps with Camera Permissions Could Secretly Take Your Picture
When is your phone able to take a picture? Put that question to the average user and chances are they will say something about having the actual camera viewfinder on screen. Whether it’s from the default camera app, Instagram, or Facebook, we all expect that the camera isn’t at work when we can’t see ourselves on the screen. As one Google researcher, Felix Krause, recently uncovered, however, that is not actually the case. In fact, when users grant permissions to apps for the use of the camera, it turns out those apps can access the camera whenever it likes during operation.
In other words, if a user has an app with camera permission running in the foreground, it has the power to take pictures even when the user does not have a viewfinder open. The app can also capture video in this scenario. It could then, if the app’s designer wanted, exfiltrate the data off your device, all without ever alerting you to what’s happening. As surprising as that may sound, this isn’t a bug. This functionality underpins some popular apps on the App Store and is a key feature in the way some apps take photos for security purposes, such as when an unauthorized user inputs a wrong password.
Even though this “feature” may not be a bug, you could still easily describe it as a security flaw. The main issue at play is the fact that the iPhone has no way to indicate when the camera is in use or when a picture has been taken. With iOS 11, the iPhone now displays a constant banner whenever an app uses your GPS location in the background. Yet there is no LED or on-screen notification to indicate when an app takes a picture.
The privacy concerns are clear, especially given the significant number of apps that ask for permission to access your camera at one point or another. In a hypothetical example, Facebook could surreptitiously take photos of you to analyze your current mood based on facial expressions — and you might never know. Apple has not publicly commented on the findings presented by Krause yet. For now, there is no evidence that any app has abused this functionality. Even so, users may wish to carefully review which apps have permission to access the camera or to use camera covers when they are not using their camera.