iPhone
Granting iPhone camera access allows apps to secretly take photos and videos without users noticing. REUTERS/Issei Kato

It’s been discovered that apps on Apple’s iPhones and iPads can secretly record videos or take photos without users even noticing, according a prominent developer. This is possible when users grant rogue apps permission to access the cameras on their iOS devices.

This new privacy issue in iOS was discovered by Felix Krause, the same developer that warned iPhone users a couple of weeks ago how easy it is for attackers to spoof Apple’s login screen to launch a phishing attack. Krause explained that once a user grants an app access to the camera, the app will be able to access the front and back cameras and record videos and take photos while the app runs in the background. This happens without any notification or any sign that the camera is currently active or turned on.

Krause said a rogue app would also be able to immediately upload the photos and or videos it has taken. For iPhones or iPads running iOS 11, the developer of the rogue app could even run a software to track the user’s face.

“iOS users often grant camera access to an app soon after they download it (e.g., to add an avatar or send a photo),” Krause explained on his blog. “These apps, like a messaging app or any news-feed-based app, can easily track the users face, take pictures, or live stream the front and back camera, without the user’s consent.”

Krause also listed other possible applications on how attackers can take advantage of this iOS privacy flaw. A developer could use the front and back camera to get a live view of the user and even know where the user is based on the image data. An attacker may also use a facial recognition software to find other photos of the user on the internet and or create a 3D model of the user’s face. A rogue app could also live stream the user’s camera feed onto the internet all without the user ever knowing it’s happening in the background. Krause created an app called watch.user to demonstrate how any of these could work.

To be clear, this isn’t actually a bug and is likely to be an intended behavior, as pointed out by Motherboard. Granting apps permission to access a device’s camera is very common, but it’s important to let more people know that this is possible.

For now, there isn’t really any permanent solution for this privacy problem. However, Krause did give a few tips so users will be able to better protect themselves. Krause suggests iPhone users should start putting covers on their cameras. Users can also revoke apps from accessing their cameras and just stick to using the built-in camera app.

Krause has also contacted Apple about this privacy issue on iOS. The developer also suggested to Apple that it could find a way to grant temporary access to the cameras, show an icon on the status bar indicating that the cameras are active or add an LED light to the iPhone’s cameras, like the green LED indicator that sits beside the Mac webcam.