Google engineers say that any iOS app can secretly take pictures or record users with camera access. The error appears to be a design issue, and Apple has not yet commented on it.
Apple’s iOS has a flaw that could be exploited by any rogue app for users to take pictures or stream live using front or rear cameras. A Google engineer has shown that any app, including permission to access things like photos, cameras and locations on iOS, can secretly stream photos or videos because iOS users can access the app.
Google engineer Felix Krause explains that allowing iOS apps for cameras allows them to access both front and rear cameras. These apps can then be used to take pictures and record users at any time through apps running in the foreground. He also created a demo app to show that apps with camera permissions can instantly upload content and even run real-time face detection to read users’ facial expressions. Krause has recorded on YouTube his demo app, video recording and clicking pictures without ringing any alarm bell.
Given that all of this is happening in the system without any notice or indication, the problem initially seems annoying. On iOS, apps need permission to access certain features, such as Apple’s camera or photo gallery. The problem presented by Krause seems to be part of the design and is not a solution created by individual apps.
Kraus says iOS users have little control over this behavior and have no option but to prevent it. He recommends protecting the camera with a cover or revoking camera access for all apps. In a blog post, Kraus suggested that Apple should temporarily suspend camera permissions or add indicators to notify iOS users when the device starts recording. He believes that adding a Mac-style LED to the front of the phone, which gives light every time the device is recorded, would be a clever option.
Apple has not yet acknowledged the problem or given a statement on when it plans to do so. Apple has shipped more than 1 billion iPhones worldwide, a problem pointed out by Kraus could lead to a serious collection of user data.