Your iPhone has a serious privacy concern that allows iOS app developers to take your photographs and record your live video using both front and back camera—all without any notification or your consent.
This alarming privacy concern in Apple's mobile operating system was highlighted by an Austrian developer and Google engineer, Felix Krause, who detailed the issue in his blog post published Wednesday.
The issue, Krause noted, is in the way Apple's software handles camera access.
Apparently, there is a legitimate reason for many apps, such as Facebook, WhatsApp, and Snapchat, to request access to your camera, in an effort to take a photo within the app.
So, this permissions system is not a bug or a flaw instead it is a feature, and it works exactly in the way Apple has designed it, but Krause said any malicious app could take advantage of this feature to silently record users activities.
iPhone Apps Can Silently Turn On Cameras at Any Time
Krause explained that that granting camera permission could enable iOS app developers to access:
- both the front and the back camera of your device,
- photograph and record you at any time the app is in the foreground,
- upload the recorded and captured content immediately, and
- run real-time face detection to read your facial expressions
...and all without warning or alerting you in any way.
Since Apple only requires users to enable camera access one time when they are asked to grant blanket permission to an app and gives free access to the camera without requiring any LED light or notification, Krause explained that a malicious app could leverage this loophole to go far beyond its intended level of access to spy on users.
The researcher has even developed a proof-of-concept app only to demonstrate how a malicious app could abuse such permissions to silently take your pictures every second as you use the app, or even live stream video of your surrounding from your front and rear cameras without notifying you.
Krause said his "goal [to build the demo app] is to highlight a privacy loophole that can be abused by iOS apps."
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
Krause has also provided a short video demonstration of the issue, which shows the demo app taking photographs of the person using it every second. The app also included a facial recognition system to detect the person using it.
The researcher warned that such a rogue app could record "stunning video material from bathrooms around the world, using both the front and the back camera, while the user scrolls through a social feed or plays a game."
How to Protect Your Privacy?
There is a little user can do to protect them.
Krause recommended Apple to introduce a way to grant temporary permissions to access the camera, allowing apps to take a picture during a limited period of time, and then revokes it after that.
Another way is to introduce a warning light or notification to the iPhone that informs people when they are being recorded.
Most importantly, do not let any malicious app enter your smartphone. For this, always download apps from an official app store and read reviews left by other users about the app and its developer.
According to Krause, for now, the only practical way to protect yourself is to cover your camera, just like Facebook CEO Mark Zuckerberg and ex-FBI Director James Comey do.