If you give an iOS app permission to use your camera, that app could spy on you by taking photos and videos without your knowledge, a developer and security researcher warned on Wednesday.
An app running in the foreground (with Camera permissions) can snap photo and video even if there’s no viewfinder or Camera interface currently open.
A social media app, for example, could be covertly taking pictures when you’re doing something non-Camera related — like simply scrolling through a feed.
The issue isn’t a bug, or even necessarily a security vulnerability, but it is a privacy concern that iOS users should keep in mind.
Developer Felix Krause, who first discovered the app behavior, wrote a PSA blog post about it and created a proof-of-concept app to demonstrate how it could be used to secretly spy on users with both the front- or rear-facing camera without a user’s knowledge.
“It’s something most people have no idea about, as they think the camera is only being used if they see the camera contend or an LED is blinking,” Krause told Motherboard. The developer works for Google, but his research on the app behavior was conducted independently of his work there.
Krause’s custom proof-of-concept app, watch.user, demonstrates the app behavior perfectly. It’s a fake “social media” app that periodically takes pictures of users and inserts them into the main feed to show off its covert picture-taking ability. The app even runs a facial recognition engine to detect emotion.
While watch.user doesn’t upload or store the photos in any way, a malicious app theoretically could collect thousands of photos and videos from users, and even upload them online. Currently, it’s unknown how many iOS apps that take advantage of the app permissions. Similarly, if there are apps like this on the App Store, it’s hard to tell which ones are specifically malicious.
What makes the issue worse is that iPhones and iPads, unlike a Mac, don’t have any LED lights or other mechanism to indicate when the Camera is active and currently being used.
Krause has since reported the issue to Apple, and even gave a few methods that could be used to thwart malicious covert photo- or video-taking. For example, Apple could install a MacBook-style LED indicator or another mechanism in iOS that can’t be turned off by app developers. It could also create a new type of temporary app permission that expires based on location, Krause suggested.
What You Can Do to Protect Your Privacy
Beyond any Apple-fielded solutions, Krause said that there are only “a few things” users can do to protect their privacy, such as:
1 Use physical lens covers for your front- and rear-facing cameras.
2 Revoke all app Camera permissions and only use Apple’s native Camera app. This, of course, will hinder convenience and usability of many apps. Open Settings > Privacy > Photos or Camera. From here, you can review apps that have permission, and revoke that access with the toggle.
Again, this isn’t a security breach or bug. But it is a good exercise in reviewing which apps you can trust. While major and reputable apps like Facebook and Snapchat are, presumably, safer than smaller and sketchier third-party apps, permission behavior is still something to keep in mind.