FYI: iOS apps can turn on your camera any time without warning

Researcher pushes Apple to add temporary permissions, indicator lights

A top iOS security researcher has uncovered yet another privacy loophole in Apple's mobile firmware.

Felix Krause, founder of Fastlane.Tools, said the way Apple's software handles camera access and recording is leaving many fans vulnerable to being spied on by apps on their gadgets without any notification or warning.

Krause explained today that because Apple only requires the user to enable camera access one time and then gives free rein without requiring a camera light or notification, a malicious application could go far beyond its intended level of access.

"iOS users often grant camera access to an app soon after they download it (e.g., to add an avatar or send a photo)," the researcher explained.

"These apps, like a messaging app or any news-feed-based app, can easily track the user's face, take pictures, or live stream the front and back camera, without the user’s consent."

The nightmare scenario, said Krause, is an app that is installed and asks once for camera access in order to take an avatar image or upload a photo, only to begin constantly watching the user and uploading the pictures covertly.

He noted that, under Apple's latest iOS version, an app can do things such as detect the presence of a second person, livestream pictures and video from both the front and back camera, and activate the facial detection toolkit, without the iThing's owner getting so much as an alert warning.

For now, Krause said, the only real way to prevent an iOS app from being able to record you without permission is to use a physical camera cover (such as a piece of tape or sticky note) to obscure the sensor hardware. Revoking camera access for apps and then using copy-paste or manually taking photos with the camera app and then importing them to other apps is also recommended.

On Apple's end, Krause said, the issue could be alleviated by introducing one-time access permissions for the camera and adding activity LEDs that indicate whenever the camera is in use and can't be turned off from within the sandbox that all third-party apps use on iOS.

This isn't the first time Krause has poked a major security hole in iOS. Earlier this month he showed how fake signin boxes could be used to harvest account credentials and in September he highlighted the ways metadata could allow apps to covertly track users. ®

Sponsored: Webcast: Why you need managed detection and response

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Keep Reading

Cambridge boffins and Google unveil open-source OpenTitan chip – because you never know who you can trust

RISC-V-based blueprints available for all to freely use
GitHub for mobile was announced at the Universe event in 2019

Closed source? Pull the other one... We love open source, but not enough to share code for our own app, says GitHub

Reviews mixed as mobile software hits GA
taylor swift

IBM tailors Swift relationship after 'review of open source priorities'

Big Blue leaves Swift server workgroup, future of Kitura server app framework uncertain

The great big open-source census: Most-used libraries revealed – plus 10 things developers should be doing to keep their code secure

Linux Foundation hears your gripes about naming schemes, legacy code, and more
Software license image

FUSE for macOS: Why a popular open source library became closed source and commercially licensed

Interview Maintainer: 'Most companies were reluctant to support the project their product depends on because it is available for free'
The two options presented to would-be LibreOffice users: Cancel or Move to bin

Not LibreOffice too? Beloved open-source suite latest to fall victim to the curse of Catalina

Move to bin? Or cancel? There are more options on this version of macOS, but it's still a PITA

Amazon slams media for not saying nice things about AWS, denies it strip-mines open-source code for huge profits

Turns out even with the luxury and protection of billions of dollars, you still can't take any criticism
Figure left behind on a dock as a boat sails away

Copy-left behind: Permissive MIT, Apache open-source licenses on the up as developers snub GNU's GPL

Share all our code modifications with others? Think again, hippie

Biting the hand that feeds IT © 1998–2020