The New York Times reported on a glitch in iOS apps that gives app developers access — without permission — to users’ photo libraries stored on their phones or other devices:
As it turns out, address books are not the only things up for grabs. Photos are also vulnerable. After a user allows an application on an iPhone, iPad or iPod Touch to have access to location information, the app can copy the user’s entire photo library, without any further notification or warning, according to app developers.
When an app first asks a user’s permission to use location services, it not only collects that information, but also gains access to the entire photo library — something that users who think their photos are “private” might want to know. The NYT even had a developer to create a test app called PhotoSpy to confirm that this was actually possible.
When the test app, PhotoSpy, was opened, it asked for access to location data. Once this was granted, it began siphoning photos and their location data to a remote server. (The app was not submitted to the App Store.)
This capability has been known to developers, according to the Times report, but with the assumption that Apple would not allow apps that “inappropriately exploited” this feature into the App Store. That’s a lot to assume! The privacy implications are obvious. There was no formal response from Apple about the problem, as of the time of the article, and I haven’t been able to find any since then.
After the earlier flap this month about apps such as Path and Instagram actually uploading users’ address books to company servers, this serves as a further blow to consumer confidence that the apps they download aren’t also able to upload private data from their phones without their knowledge. While the address book uploading actually occurred, it is not known if any current apps have been secretly taking advantage of the loophole in iOS to upload user’s photo libraries, but until Apple addresses the issue, you should be aware of the privacy risk.