A warning to all: On Wednesday, a developer who works for Google published a demonstration app on GitHub that he claims shows off the creepy ways a rogue iPhone app can photograph you at any time without your knowledge if you grant it camera permissions.
Felix Krauss is the founder of Fastlane, a developer toolset that Google acquired earlier this year. In a blog post on his website, Krauss explains that when you give an app permission to use the iPhone’s camera, you’re giving that app permission to use the camera whenever its overlords deem fit. Specifically, he writes that an app with camera permissions can:
- Access both the front and the back camera
- Record you at any time the app is in the foreground
- Take pictures and videos without telling you
- Upload the pictures/videos it takes immediately
- Run real-time face recognition to detect facial features or expressions
To show what he’s talking about, Krauss uploaded a project to GitHub that takes advantage of the worst features of camera permissions. (To be clear, this is a personal project, not sanctioned by Google.) When this app is installed on an iPhone, Krauss says it randomly takes photos and utilizes the facial recognition software without the user needing to do anything aside from grant the standard permission to use the camera. Here’s a video of the app in action:
Motherboard says it tested Krause’s app and verified that it does everything it claims to do. The developer told Motherboard that his project doesn’t upload the photos anywhere or store them in your Camera Roll, but other apps certainly could.
Apple is known for its strict app review process and developer guidelines, and notably, Krause’s app is not available in the App Store, where the vast majority of iPhone and iPad users get their apps. Gizmodo has reached out to Apple for comment on Krause’s claims and to ask if it has any plans to give users additional controls over camera permissions. We’ve also asked for information on how apps that abuse camera permissions violate App Store rules. We have yet to receive a reply but will update this post when we do.
Krause’s project raises awareness of a potential problem, but it doesn’t indicate that these activities are common in the App Store. As Motherboard notes, the ability for an app to take photos or videos at any time has been used to create apps that take photos at random intervals, turning your phone into a life-casting (or spying) device.
To prevent apps from abusing camera permissions, Krause recommends several options, like using a camera cover or just not allowing camera permissions. But that shouldn’t be necessary. One of his most interesting (and unlikely) ideas is for Apple to modify its product to turn on a small LED light on the front and back when the camera is in use. Mac computers already do this. What’s most important is that users are always made completely aware of what they’re signing up for when they say it’s okay for an app to take over the camera.