Click to Skip Ad
Closing in...

Permission loophole gives developers access to iOS photo library and location history

Updated Dec 19th, 2018 7:48PM EST

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

Earlier this month it was revealed that the popular social networking app Path was uploading entire iPhone address books to the company’s servers without first gaining permission. The data uploaded included full names, phone numbers and email addresses. Path quickly confirmed the report and issued an update to allow users to opt-in or out. The New York Times reported on Tuesday that a user’s address book isn’t the only information vulnerable on iOS devices, however. The publications claims photos can also be accessed by third-party app developers. Read on for more.

“After a user allows an application on an iPhone, iPad or iPod Touch to have access to location information, the app can copy the user’s entire photo library, without any further notification or warning,” app developers confirmed to the Times. After an application gains permission to access location services, it can then gain access to photo and video files, which typically include the coordinates of the location at which they were taken.

“Conceivably, an app with access to location data could put together a history of where the user has been based on photo location,” co-founder of Curio, David E. Chen said. “The location history, as well as your photos and videos, could be uploaded to a server. Once the data is off of the iOS device, Apple has virtually no ability to monitor or limit its use.”

In an effort to make photo apps more efficient, Apple first permitted access to the photo library in 2010 when the company released the fourth version of iOS. Developers have often questioned why Apple would allow permission to access location data of photos, however. “It’s very strange, because Apple is asking for location permission, but really what it is doing is accessing your entire photo library,” John Casasanta, owner of app development studio Tap Tap Tap, told the Times. “The message the user is being presented with is very, very unclear.”

With the help of an anonymous developer, The New York Times created a test application that requested location data and then confirming the report. While the application, PhotoSpy, was not submitted to the App Store, it did successfully access photos and their location data with the ability to export everything to a remote server.

“We’ve seen celebrities and famous people have pictures leaked and disclosed in the past. There’s every reason to think that if you make that easier to do, you’ll see much more of it,” said David Jacobs, a fellow with the Electronic Privacy Information Center. “Not just celebrities are at risk. A lot of sites are trying to obtain images from everyday people and politicians to post online.”


Dan joins the BGR team as the Android Editor, covering all things relating to Google’s premiere operating system. His work has appeared on Fox News, Fox Business and Yahoo News, among other publications. When he isn’t testing the latest devices or apps, he can be found enjoying the sights and sounds of New York City.