Managing device permissions can be tricky when there are plenty of apps in the wild asking for a screen full of privileges for seemingly mundane tasks. It was recently revealed that the Uber app for iOS has used special permissions to better optimize for Apple Watches albeit with the side effect of allowing screen recording.
Now, iOS developer Felix Krause at Google has revealed that apps may have a lot more access than intended. Granting an app permission to use the camera on iOS, for example, allows for silent use of the camera any time an app is in focus. Users are not notified that the camera is in use and photos or videos can be immediately sent to remote servers without an additional permission request.
One of the largest fundamental issues pointed out is that camera permissions are a one-time setting. Once permission is granted, usually at the first launch after installation, the access is never removed unless a user specifically goes into their settings to revoke it. Users often forget what permissions they grant to an app and are unlikely to think about which apps are capable of creating privacy issues.
A proof of concept app has been created to show how any app with camera permissions is able to secretly record a user. The app has the user take a picture for a demonstration social media site and then scroll through a news feed. After scrolling through the feed, app users will start to see pictures of themselves while browsing. Facial recognition can also be run from the captured images to identify the user and locate other pictures of them online.
The demo app is available on GitHub and can be safely tested on iOS devices. As a solution to the issue, Krause proposes offering temporary permissions to apps when sharing pictures is needed. A status icon could be added to show when cameras are in use. For future iPhones, a status LED could be added that is triggered when the camera sensor is in use.
For now, the only sure solution to preventing unwanted recording is physically blocking the cameras on your device. Even CEOs such as Mark Zuckerberg have resorted to putting tape over webcams to ensure that privacy is maintained.