Engineer proves any iPhone app with permission to access the camera is capable of spying…

By Malcolm Owen
Thursday, October 26, 2017, 06:48 am PT (09:48 am ET)

A Google engineer has demonstrated it is possible for a malicious iOS app to spy on a user, with a proof of concept app capable of photographing or recording from both iPhone cameras without the user’s knowledge, all by exploiting the permissions granted by the user allowing access to the cameras.

Researcher Felix Krause, founder of Fastlane.Tools, created the watch.user concept app to show how far the camera permissions could be pushed, reports The Next Web. Once granted, Krause advises it is possible for an app to photograph and record from the cameras any time the app is in the foreground, without informing the user the images and video are being captured with flashes or other indictors.

Krause also claims it can then upload the images and video to an app’s servers, including broadcasting a live feed from the iPhone itself. It is suggested that it is possible for a malicious developer to determine the user’s location based on the image data, and to run facial recognition on still frames to find other photos of the user or to discover their identity.

A video demonstrating the test app’s capabilities also shows it can also track the movements of the user’s mouth, nose, eyes, and the entire face, and can even determine the mood of the user based on their facial expressions. Krause advises this part uses the Vision framework introduced in iOS 11, designed to allow developers to track a user’s facial movements.

Notably, the issue is only a problem if the app is in the foreground, but Krause highlights that this could still cause privacy problems. For example, if a user decides to browse a social app while in the bathroom, and the app includes such code, it would be theoretically possible for it to record the user in a somewhat compromising position.

Leave a Reply