Apple has another privacy controversy on its hands, just weeks after the dustup about applications such as Path uploading users’ contact lists without their permission.
The New York Times has found that once users of an iPhone, iPad or iPod Touch give an application the OK to access location information, the app can access the user’s entire photo library without again asking permission. And that access has been available since the fourth version of iOS was released in 2010.
The Times hired an unnamed developer to create an app to test whether this could be done–and it worked. The article notes that there is no evidence this has ever been done, but it’s technically possible. It quotes David E. Chen, co-founder of app-development firm Curio, as saying:
The location history, as well as your photos and videos, could be uploaded to a server. Once the data is off of the iOS device, Apple has virtually no ability to monitor or limit its use.
With more than 600,000 apps in its App Store, there’s concern Apple is becoming less vigilant in riding herd on developers. Apple didn’t respond to requests for comment. However, the Verge reports Apple is working on a fix. Google also declined to respond to questions about how Android handles this issue.
Meanwhile, according to 9to5 Mac, the access goes beyond just photos to include music, movies, calendars and other data. It reports:
Moreover, approved apps also have access to the iPhone’s camera and microphone, so apps can also take pictures and make recordings without permission. … Photos, videos, and audio are transmittable securely or insecurely up to servers that you and Apple do not know about.
To developers, this is no big secret. It is not trivial, but putting that kind of functionality into an app is straightforward and only uses Apple’s publicly available and blessed developer APIs (which means this stuff will not likely be detected by Apple’s App Store approval process).
It’s been almost a year since the outcry over iOS devices storing users’ location data without permission.
ReadWriteWeb, meanwhile, points out that photo-sharing sites such as Instagram and Hipstamatic share only the photos the user designates.
Under pressure from lawmakers after the Path controversy, Apple agreed to tweak its app policy to seek “explicit approval” before downloading a user’s address book.