They’re watching you
Are your apps filming you? Google researcher spots security hole.
GOOGLE ENGINEER FELIX Krause has detailed a vulnerability in iOS that means any app with permission to use the camera on your iPhone or iPad can secretly film you or take pictures of you — whether you are aware of it or not.
The problem stems from the fact that once you give an app permission to access your camera, it can do so at any time provided that it’s in the foreground… and Krause has
created a demo social networking app called watch.user, which does exactly that, to show how the potential exploit works. Talking about the issue on his website at krausefx.com, Krause says: “iOS users often grant camera access to an app soon after they download it (e.g., to add an avatar or send a photo). These apps, like a messaging app or any newsfeedbased app, can easily track the user’s face, take pictures, or live stream the front and back camera, without the user’s consent.” There is also an issue with facial recognition technology, says Krause. “Using the new built-in iOS 11 Vision framework, every developer can very easily parse facial features in real time, like the eyes, mouth and the face frame.” Although Apple is pretty good at policing the apps posted on the App Store, its checks and balances aren’t flawless — as it discovered last April with the Uber app, which secretly tracked users even after they’d finished using the ride-sharing service. Krause says the best way to protect yourself from rogue apps that may try to take advantage of your iPhone or iPad’s camera in this way is to revoke permission for all apps, to use only the built-in Camera app, and to use the image picker in an app rather than giving it blanket access to either the contents of your Photos library or your camera roll.
The other way, of course, is to cover the camera on your device when you’re not expressly using it by buying a camera cover, or placing a piece of insulation tape or even a sticky note over it. It’s inelegant, but it might just protect your privacy.
Krause has reported the issue to Apple and says there are several easy fixes - which include: forcing an app to display an icon when the camera is active; allowing camera access only temporarily; and adding an LED indicator light to the front and back cameras on iOS devices that light up when the camera is in use. Apple could prevent apps from bypassing this tell-tale indicator by sandboxing apps the way macOS does.
Krause’s app shows the exploit in action.
Face recognition? Great, but any app can parse your facial features.