A new security flaw affecting Apple’s iOS mobile platform has been revealed in a report published by the New York Times’ Bits blog, which disclosed a loophole that enables apps to grab photos in users' phones they are installed on.
The paper said that developers can gain access to a user's entire photo library using the dialog window that requests access to location information. Apparently, when the OK button is selected, the app is then able to copy the photos, complete with the GPS meta data to a remote server without the handset owner even being aware of this taking place.
Despite the worrying claims, and the fact that New York Times was able to successfully prove them with an unpublished test app from an unnamed developer, the paper admits that it is unclear whether any apps in Apple’s App Store are actually exploiting the loophole to steal users' photo libraries.
"It is unclear whether any apps in Apple’s App Store are illicitly copying user photos. Although Apple’s rules do not specifically forbid photo copying, Apple says it screens all apps submitted to the store, a process that should catch nefarious behavior on the part of developers," Nick Bilton stated.
He further added that despite the fact they screen all new apps to reduce the chance of illegal activities by developers, the Cupertino-based company did previously approve many apps that collected contact information even though it was against their own App Store guidelines.
Bilton believes the loophole arrived with the iOS 4.0 mobile OS release in 2010, citing that the location feature was introduced in the name of efficiency alongside Apple’s major focus on improving the OS’ multitasking features.
According to sources familiar with the matter speaking to the Verge, Apple has been made aware of the issue and plans to fix the loophole in an upcoming release of iOS. The same sources also stated that being able to send photos to a third party was in fact an error, and not an intended action.
Apple has declined to comment on the loophole, or their plans to patch it in a future update.