A newly discovered loophole in iOS security gives developers access to a user's entire photo library. After the user allows an iOS application to have access to location information, the app can then be designed to copy the user's photographs to a remote server without further notification, reports The New York Times.
To test this loophole, The New York Times asked an anonymous developer, who did not want to be named because of his employment at a popular app developer, to create an app that did just that. His "PhotoSpy" app asked for access to location data on startup, and once access was granted, the app would then siphon the photos and the location data attached to them to a remote server. The PhotoSpy app was not submitted to the App Store for approval.
It is unknown if any authorized apps on Apple's App Store are currently exploiting this loophole. Of course, with the huge volume of submissions to the app store, apps of questionable content and behavior slip through the approval process on a fairly regular basis.
Full access to the photo library was first allowed in 2010 with the release of iOS 4, with the intention of making photo apps more efficient. While this capability has been known for a while, according to developers who talked to The New York Times, it was assumed that Apple's approval process would prevent users' content from being exploited. That assumption has been cast into doubt after recent revelations.
"Apple has a tremendous responsibility as the gatekeeper to the App Store and the apps people put on their phone to police the apps," David Jacobs, a fellow with the Electronic Privacy Information Center, said to The New York Times. "Apple and app makers should be making sure people understand what they are consenting to. It is pretty obvious that they aren’t doing a good enough job of that."