Apple Security Hole Allows Developers Access to Your Photos

By | Mar 7, 2012

Apple and its popular iPhone and iPad are the focus of another security and privacy issue for the third time this year. Software application developers are indicating that the latest issue is related to enabling location for particular apps.

Many apps request access to location information, presumably to coordinate with other mapping or social apps. The user will see a pop-up message that requests approval to "allow access to location information" in photos and videos. When this permission is granted by the user, the app has the capability to copy the entire photo library.

Recent iPhone and iPad security and privacy issues

The New York Times story follows two recent issues related to iOS products. Earlier this year, the iPhone and iPad were in focus because of apps that had access to a user's entire contact library, and then that was followed by the Google Safari cookie controversy, in which tracking cookies were enabled without a user explicitly approving each cookie.

Some of these issues are a result of Apple's newest version of iOS, which provides full access to the photo library. While this improved access and integration was intended to make it easier for users to share their data, it also gives developers the ability to access information that most users may not approve.

"Use Your Current Location" Really Means "Access Your Data"

The popularity of iPhone and iPad devices is due to many factors, but one of the most frequently cited answers is in their intuitive ease of use.

But in this latest case, the pop-up message is rather misleading. The message connected to this matter tells the user "[Appname] would like to use your current location." What the user is truly providing when they click okay to approve the use of current location is in reality access to their data--in the case of photos, all of your photos and videos.

Apple has a well-known review process for approving new apps that is considered to be quite thorough. But the access issue for photos and contacts is not a new matter--it is a well-known fact in the developer community.

Does that mean that apps are not safe and that you as a user should not allow location access? Not necessarily. But as a user, you should be aware of the level of access you are granting to the app.

For enterprise users and their security teams, app review and approval processes should be a standard step of your security and policy process. Similarly, individual users should consider the reputation of developer before approving the download.

As with other purchases (even if it is a free app), it's worth remembering the old warning: Caveat emptor--let the buyer beware. At a minimum, be informed.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.

IBM Solution Security & Resiliency

IBM IT security expertise can help medium-sized businesses develop, implement and maintain comprehensive strategies to combat ever-evolving security threats without increasing complexity, cost, or resources required for administration.

Learn More »

More on This Topic

Three Security Concerns for 2016

By Allan Pratt on Dec 4, 2015
As we near the end of 2015, what will 2016 look like in the information security sector? Undoubtedly there be an increase in data breaches across all industries, but will businesses take the high road and inform their customers and ...