Slashdot Mirror

← Back to Stories (view on slashdot.org)

With Camera Permission, iPhone Apps Can Surreptitiously Take Pictures and Videos (vice.com)

Posted by msmash on from the security-woes dept.

An anonymous reader writes: Whenever you give iPhone apps permission to access your camera, the app can surreptitiously take pictures and videos of you as long as the app is in the foreground, a security researcher warned on Wednesday. This is not a bug, but keep it in mind when a random app asks you for permission to access your camera. What this means is that even if you don't see the camera "open" in the form of an on-screen viewfinder, an app can still take photos and videos. It is unknown how many apps currently do this, but Krause created a test app as a proof-of-concept. This behavior is what enables certain "spy" apps like Stealth Cam and Easy Calc - Camera Eye to exist. But even if this behavior is well-known among iOS developers and hardcore users, it's worth remembering that all apps that have camera permission can technically take photos in this way. "It's something most people have no idea about, as they think the camera is only being used if they see the camera content or a LED is blinking," Krause told Motherboard in a chat over Twitter direct message. Krause currently works at Google, but performed and published this research independently of his work there.

37 of 69 comments (clear)

  1. Android apps can as well by Anonymous Coward · · Score: 2, Interesting

    So the Google employee also probably knows that Android apps can do the exact same thing. And there are spy camera apps for Android too.

    Slow news day, apparently.

    1. Re:Android apps can as well by jellomizer · · Score: 4, Insightful

      But the new iPhone is going to be released soon, and Google doesn't want it to take the Pixel 2 thunder.
      While in actuality. If you are an Android User you will get an Android Phone, if you are an iPhone user you will get an iPhone. But articles like this help justify your belief that your purchase was somehow superior and you are the smarter consumer because of it.

      Because in order to get people to switch to the other, you really need some major new feature that the other will not have shortly... Or the Other finds a way to really screw it up their next generation product, or fails to keep the product up to date over a long period of time.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    2. Re:Android apps can as well by DontBeAMoran · · Score: 1

      My next phone will have a feature that both Android and iPhone doesn't have: no applications and no spyware.

      What's the smallest, best flip-phone? I don't even want SMS nor a camera. Just a freakin' phone to make freakin' phone calls. /Dr.Evil

      --
      #DeleteFacebook
    3. Re:Android apps can as well by Desler · · Score: 1

      Flip phones have both applications and cameras.

    4. Re:Android apps can as well by DontBeAMoran · · Score: 1

      My current phone is a hand-me-down iPhone 4 but with no sim card, no phone service. Basically an iPod touch.

      --
      #DeleteFacebook
    5. Re:Android apps can as well by DontBeAMoran · · Score: 2

      Translation: all the new technology is being used to spy on us, tracks everything we do and my profile is being sold to thousands of companies for profits, so I'm falling back to older technology where these assholes can't reach me.

      --
      #DeleteFacebook
    6. Re:Android apps can as well by DontBeAMoran · · Score: 1

      Out of the box, plug the phone into your computer and download our app. The phone will update, an account will be created, and you will set up your 9 speed dials.

      ... not really.

      --
      #DeleteFacebook
    7. Re:Android apps can as well by nasch · · Score: 1

      I don't think there is such a thing as a cell phone that doesn't do SMS so you're stuck there. I'm not sure if anyone makes a phone that doesn't have additional apps either. If it's less than ten years old you're probably going to have a calendar, calculator, address book, and maybe music, navigation and a game or two.

  2. News? by Anonymous Coward · · Score: 1

    I thought everyone knew this.
    Oh, it's a vice article. Never mind.

  3. Ric Romero, is that you? by rsilvergun · · Score: 4, Informative

    Give an app permission to use your camera and it can use your camera. Who knew? Also, how slow a news day does it have to be to greenlight something like this?

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
    1. Re:Ric Romero, is that you? by jellomizer · · Score: 5, Insightful

      But we need a reason to hate Apple Products. Otherwise our decision to pick Android Products will seem less important. And buying something that isn't the best deal, is the most mortal sin that an internet user can do today.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    2. Re:Ric Romero, is that you? by Obfuscant · · Score: 1

      Give an app permission to use your camera and it can use your camera. Who knew?

      Yeah. This is a d'oh story. Same thing goes for Android.

      The problem comes when sloppy or malicious programmers write code that wants too many permissions. I am using Mobisytems OfficeSuite and every time I try to look at a document I get the really scary warning that "this app will not work properly" unless Google Play is given permission to access my phone, camera, and occasionally a couple of other things. Sorry? You don't need to access my camera so I can read a document, and it ISN'T A PHONE. Oh, "body sensors" is another mandatory permission for opening an Excel spreadsheet.

      Same thing for the United Airlines app. It demands "camera". Why? So you can get pictures of me being dragged off the airplane without me knowing about it?

    3. Re:Ric Romero, is that you? by thegarbz · · Score: 1

      Nerds knew. But that's kind of the point of the summary, the general thought that has been embedded in smartphone users via rote learning is that camera only does something when it's showing on your screen or flashing an LED.

    4. Re:Ric Romero, is that you? by tepples · · Score: 1

      Same thing for the United Airlines app. It demands "camera". Why?

      I haven't flown in decades, but my first guess involves using the device's rear-facing camera to scan 2D barcodes printed on boarding passes and the like.

    5. Re:Ric Romero, is that you? by Obfuscant · · Score: 1

      I haven't flown in decades, but my first guess involves using the device's rear-facing camera to scan 2D barcodes printed on boarding passes and the like.

      It's the United app. They know what boarding passes I have, and my tablet is not used to scan my boarding pass either for TSA or when I get on the plane. There are dedicated scanners at those check points.

      And no, displaying a QR code on a phone or tablet to be scanned by one of those devices does not require "camera" permissions on the display device.

      No valid purpose.

    6. Re:Ric Romero, is that you? by Dutch+Gun · · Score: 1

      Same thing for the United Airlines app. It demands "camera". Why? So you can get pictures of me being dragged off the airplane without me knowing about it?

      If I had to guess: for taking snaps of QR codes of tickets or boarding passes displayed on a kiosk or home computer.

      Do you know what I've love to see? When developer submit apps to the store, they are also required to submit a single line for each requested permission which explains WHY they are requesting that permission. What feature requires this? The user could then just tap on a permission to see what it's being used for, and decide whether or not it's a feature they care about.

      At the very least, you could at least force app developer to attempt to justify themselves. A lack of a good explanation would be tantamount to either sloppy programming or malicious intent.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    7. Re: Ric Romero, is that you? by Obfuscant · · Score: 1

      It's for scanning passports for Real ID checkins on international flights.

      The United app on my phone or tablet is not going to be used to scan anything, much less my passport. Don't be stupid. Neither TSA nor United need to use my phone to scan their documents, they have their own scanners. Why would they trust a device that I control to do such things in the first place?

      Sheesh.

      I actually asked about it a long time ago. It's intended for social media so I can show everyone how I am smiling during a United flight.

    8. Re: Ric Romero, is that you? by jellomizer · · Score: 1

      Be careful there. There are many metrics that the Pixel 2 beats the iPhone 8 in (Same CPU as the iPhone X). If you want to say the iPhone is better then the Android you pick the features which it excels in and tout them as important, and dismiss the features it isn't as good in. Or you could do it the other way too. Who knows what problems that iPhone X will have. This is the first Apple Phone with an OLED screen, so it may have the burn in problem too, there are also a bunch of other new features that may not work well in mass produced state. If you are going to get the iPhone X, I would probably recommend the Apple Care, as you may get a bunch of extra problems at first.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  4. Huh? by Desler · · Score: 1

    A security researcher was needed to know that if you give something camera access that it can use your camera to take pictures and video? Isn’t that the whole point of allowing an app access to the camera? What else did they think the permission granted?

    1. Re:Huh? by Desler · · Score: 2

      While it’s the background? Huh? To quote the summary:

      the app can surreptitiously take pictures and videos of you as long as the app is in the foreground

  5. People don't care by DogDude · · Score: 1

    99.99% of people don't give a shit.

    --
    I don't respond to AC's.
    1. Re:People don't care by Desler · · Score: 1

      Why would they? The whole point of allowing the permission is to allow apps to use your camera.

    2. Re:People don't care by InvalidsYnc · · Score: 1

      Probably more of the point of it is if that "Destiny 2 super companion app" asks you for permission to use your camera and microphone, tell it to F off, as there should be no reason for it to have access to those.

    3. Re:People don't care by Obfuscant · · Score: 1

      tell it to F off, as there should be no reason for it to have access to those.

      And then some apps will tell you to F off, they aren't going to run. I have a Galaxy Tab, and the "Galaxy Apps" demands access to "phone" and "contacts". It has no need to know my contacts, and it isn't a phone so it doesn't need 'phone'. If I don't give it those permissions, it just closes.

      I have no idea what services "galaxy apps" would provide to me because of that. If Samsung is trying to differentiate its product by giving me wonderful free apps that do great things, then it should know it is accomplishing just the opposite.

  6. Spying on you in every way possible by Seven+Spirals · · Score: 1

    That's the business model. As Bruce Schneier says it's a "Surveillance Business Model". That's the "deal". They give you a set of crappy applications for free, you ignore the fact that they can and will spy on you the maximum degree they think they can get away with (and beyond if they think they can hide their activities from you). OF COURSE these apps are gonna take your picture without you knowing. If they thought they could hold pictures of you fucking your wife for ransom, they'd do that too. If they can convert your everyday speech to text and log your entire day's conversation to mine with AI for marketing tips or other ways to pull some kind of overseas Bitcoin blackmail, THEY WILL. If you think that last bit came from my tinfoil hat, you must have been asleep when Samsung did it with their smart TVs while they were supposedly turned off. All this spying and dishonestly is really fundamentally part of the new corporate business model. It's not a fluke, or news; it's the new normal.

  7. Why we need physical switches standard by HalAtWork · · Score: 1

    I don't need those permissions active all the time. Plus there's bugs and hacks.

    --
    Twinstiq, game news
  8. Uh... duh? by wonkey_monkey · · Score: 1

    Whenever you give iPhone apps permission to access your camera, the app can surreptitiously take pictures and videos of you

    Wow, really? Whoever would have guessed?

    but performed and published this research

    This is hardy research. I certainly hope it isn't the epitome of this secury researcher's career.

    --
    systemd is Roko's Basilisk.
  9. Felix Krause by 110010001000 · · Score: 1

    The "researcher" is Felix Krause, who works for Google. His previous revelation was that apps could create input dialogs that look like password entry screens. He neglected to mention that Android phones have the same "flaws".

  10. No shit, Sherlock? by nospam007 · · Score: 3, Insightful

    "Whenever you give iPhone apps permission to access your camera, the app can surreptitiously take pictures and videos "

    I'm flabbergasted, next you'll tell us if I give them permission to use the microphone, they can listen to us.

    1. Re:No shit, Sherlock? by R3d+M3rcury · · Score: 1

      In their defense, one issue you might run into would be a one-time-use thing.

      For example, iTunes wants to use your camera so that it can read your iTunes card and update your balance. Which is a good thing. And when it asks if it can use your camera, it says that it only wants to do it so that it can read your iTunes card.

      But what's to say it isn't doing it for other purposes? It certainly can because I said, "Yeah, okay, iTunes can use the camera."

      Now, I don't remember if there's a "Ask Each Time" option or not. But perhaps there should be...

      As an aside, Apple aficionados, I'm not implying that Apple is doing this. It's merely an example.

  11. QR scanning needs camera permission by tepples · · Score: 1

    if that "Destiny 2 super companion app" asks you for permission to use your camera and microphone, tell it to F off, as there should be no reason for it to have access to those.

    I don't know about that. Does Destiny 2 expose an API for companion apps that allows syncing a companion app to a player's account by photographing a 2D barcode displayed on the screen?

    1. Re:QR scanning needs camera permission by nasch · · Score: 1

      If it does, the app permission dialog should clearly explain that, and then if the permission is refused the other features of the app should continue to work normally.

    2. Re:QR scanning needs camera permission by tepples · · Score: 1

      if the permission [to photograph a barcode representing a user account] is refused the other features of the app should continue to work normally.

      What would the companion app do without being logged in? If the user refuses the means by which the user logs in, how are the "other features of the app" supposed to authenticate in order to "continue to work normally"? Or would you prefer to require players to key in a 32-digit UUID displayed on the screen?

    3. Re:QR scanning needs camera permission by nasch · · Score: 1

      IIRC from when I used the Destiny app, display news and general information about the game.

  12. Separate foreground and background permissions by tepples · · Score: 2

    Perhaps the intent is that "foreground microphone" and "background microphone" ought to be split into separate permissions, as ought "foreground camera" and "background camera".

  13. Lots of snarky replies to this one, but ... by King_TJ · · Score: 2

    I think it's still a really valid question.... Why aren't these phones designed so an indicator light on them has to be lit if the camera is in use by something? Wire that up in the hardware so it's not a light you can bypass via clever software coding.

    Even if you don't care a bit about some app trying to sneakily take pictures or video while you have it running in the background, that impacts your battery life so you'd want to know about it just for that reason.

    Just because I grant an app permission to use the camera doesn't mean I'm ok with it trying to mis-use the camera input for other purposes than its stated function it performs while in the foreground.

  14. Why no notification icons? by hankwang · · Score: 1

    Hardware real-estate is precious. You could use a multi-color notification light, but I already have trouble remembering which color means what.

    Instead, just use a notification icon. Android supports screenshotting through 3rd-party apps, but will show an icon whenever a screenshot is being taken. The same could be done for the camera and microphone. Although the microphone may be troublesome in the case of always-on "ok google" detection.

    --
    Avantslash: low-bandwidth mobile slashdot.