iOS apps can read metadata revealing users' location histories

EXIF through a gift shop full of personal data

Using EXIF to snoop on iPhone users
Krause's demo of how to snoop user locations using EXIF

In what looks like an Apple oversight, a developer has discovered that apps can access image metadata and therefore a pretty good history of iThing users' location.

Felix Krause, founder of Fastlane.Tools, reported the issue here and explains that “If an app gets permission to access the image library, it will get full access to all image metadata also, including the exact location.

“This is a serious privacy issue, as third party camera apps that want to just store a picture the user took, will also get full access to all photos and their locations in their image library.”

It's ridiculously easy to grab user image metadata after that:

```objective-c
PHFetchResult *photos = [PHAsset fetchAssetsWithMediaType:PHAssetMediaTypeImage options:nil];

for (PHAsset *asset in photos) {
    if ([asset location]) {
        // Access the full location, speed, full picture, camera model, etc. here
    }
}
```

In his proof-of-concept at GitHub, Krause explains he “built the initial prototype within under an hour”.

The entire EXIF data set is available to an app with permission to access the image library, so it's more than just a user's location. Krause gives the following list:

  • The exact location of each asset;
  • The physical speed in which the picture/video was taken (how fast did the camera move);
  • The camera model;
  • The exact date + time; and
  • Other exif image metadata.

All of which opens up very rich potential for abuse.

Krause says Apple needs to rework photo permissions, either asking a user to give explicit permission for an app to access image metadata; or to separate out permissions for selecting a photo, and granting access to the photo library.

The proof-of-concept is available at the App Store (really!).

The Register has asked Apple if it is aware of Krause's research and has any response. If the company responds, we'll update this story. ®

Sponsored: The Joy and Pain of Buying IT - Have Your Say


Biting the hand that feeds IT © 1998–2017