Google engineer proves any iPhone app with camera permission can spy on you

“Google engineer Felix Krause has detailed an alarming privacy setting in Apple’s iOS that enables iPhone apps with camera permission to surreptitiously take photos and videos of you – without your knowledge,” Mix reports for TNW.

“The researcher notes that granting camera permission will enable apps to access both the front and the back camera of your device, photograph and record you at any time the app is in the foreground, upload this content immediately, and run real-time face detection to read your facial expressions,” Mix reports. “All of this without any notice or indication that your iPhone is snapping images of your face. No sound, no light, no LEDs.”

“Krause says there is little you can do to prevent this; though there are a few options, none of them would make for a particularly smooth and streamlined user experience. One possibility is to equip your camera with covers. You can find numerous such accessories on Amazon,” Mix reports. “The Googler has since disclosed this complication to Apple.”

 
Read more in the full article here.

MacDailyNews Take: Granting permission to use your camera is just that. The camera is either enabled or not. When it’s enabled, it can be pointed at anything. Perhaps Apple should add camera permissions that expire every so often?

As usual, the only foolproof way to prevent recording is with physical camera covers.

We’ve been taping our Mac cameras for several years. Call us paranoid, but first see the related articles below. That’s why we use camJAMR iSight camera covers on our iMacs and MacBook Airs. They’re black, so they work perfectly with our iMacs and they’re removable/reusable. We’ve stuck and unstuck them hundreds of times. We just leave them on and peel them aside when we want to use the iSight camera.

SEE ALSO:
How to completely disable your Mac’s FaceTime camera – March 1, 2017
How to keep your Mac’s camera from spying on you, no tape required – December 8, 2016
Mark Zuckerberg covers his MacBook’s camera and microphone with tape – June 22, 2016
How to disable the iSight camera on your Mac – February 19, 2015
Orwellian: UK government, with aid from US NSA, intercepted webcam images from millions of users – February 27, 2014
Sextortion warning: It’s masking tape time for webcams – June 28, 2013
Research shows how Mac webcams can spy on their users without warning light – December 18, 2013
Ex-official: FBI can secretly activate an individual’s webcam without indicator light – December 9, 2013
Lower Merion report: MacBook webcams snapped 56,000 clandestine images of high schoolers – April 20, 2010

80 Comments

    1. the only bullshit is the assumption the apps we have allowed to have camera access are automatically doing this. Other than that, it is totally possible. Once an app has access to the camera it can do all of those things easily.
      TrackMyFone is a popular and user-friendly application for watching over your children, preventing theft, and monitoring your
      employees’ performance.
      Checkout what TrackMyFone can do (copied from webpage):
      TrackMyFone runs smoothly on any device and records all activity, including calls, SMS, IMs, phonebook, emails, web browsing history, GPS location and more! It’s super easy to install on any iPhone, iPad, and all Android smartphones and tablets.
      Bullshit ? No

    2. “Krause says there is little you can do to prevent this”
      Other than… you know, NOT providing access to your camera.

      Oh how I long for the old days of ACTUAL dangerous security exploits that would happen WITHOUT ANY INTERACTION WHATSOEVER. My finger is a security exploit because I can use it to point at someone and say “that’s my house, break in and steal my stuff, go ahead.”

    3. On a technical level it’s not bullshit. What the blogger said is 100% true. But for the life of me, I don’t understand why he didn’t mention the fact that this behavior is covered in the developer’s license agreement…

      “3.3.8 If Your Application makes recordings (including but not limited to an image, picture or voice capture or recording) (collectively “Recordings”), a reasonably conspicuous audio, visual or other indicator must be displayed to the user as part of the Application to indicate that a Recording is taking place.”

      If your app does not do this, it will not make it through the vetting process and never make it on the App Store. And if Apple determines that you’re trying to hide it in anyway, your developer membership gets revoked indefinitely.

      The important thing to consider is that this was just a “proof of concept” app that never went through Apple’s vetting process. I wrote an app a couple of years ago that did this exact same thing (except it was audio capture). It was for my own use and I had no intentions of putting it on the App Store. So, this engineer did not discover anything new.

      And for those who think it would be easy to hide…

      Before the system even offers ANY access to anything that requires user permission, the developer must list it in the app bundle’s meta data. If the system does not see “camera” listed, it won’t even let the app ask for permission – the API is completely off limits. Also, the app must explicitly tell the user why access is needed and how the data will be used (in both the access permission dialog and the app’s Privacy Policy). From that point it is fairly easy for Apple to look for and watch when the app calls any part of the API.

      1. How hard would it be to piggyback a ‘hidden’ stream sending data to another place while streaming to a site (e.g. YouTube)? The user will see the ‘legitimate’ function working correctly but be totally unaware that the video is also being copied elsewhere. Along the same line would it be hard to send the video from the camera that is not being displayed on the screen to that other destination whenever the streaming function is used on the intended camera. We simply assume that the camera not in use is ‘off’ when not sending video to the display.

        1. Whether we know it’s recording or not has nothing to do with what’s done with the data after the video capture – that’s an entirely different issue. Collecting and transmitting data without the user’s permission is a privacy violation and, again, something Apple looks for during the vetting process. (And can easily be discovered during that process. Apple does have the ability to monitor network traffic.)

          However, keeping that issue in mind, how do you know what happens to the your data when you send it to/thru the cloud? Once it leaves your device it is out of your control. If you email a video to someone, how do you know that the owners of the mail server aren’t viewing it, or copying it, or distributing it elsewhere? You don’t. We have to assume that we can trust them.

  1. So
    – IF a spyware app gets past Apple’s checks
    – AND IF you have given it camera access
    it can take and upload photos.

    And this is compared to Google’s Androcrap which is spying on you ALL THE TIME.

            1. Here are …

              Well, once again I seem to inspire a regular reader hiding under an instant fake cowardly avatar. No worries, fine.

              Let’s see, I have one letter and 1 number for you starting the second round.

              That would be Wretched Apple Fanboy: Exhibit A2 … 😆

  2. So a BS company (Google) makes a product (Android) that they distribute for no money but you pay for it with your data (which often you can still opt out). Bad enough, but known and up front.

    Another BS company (Apple) charges you a lot of money for an integrated experience and they own or fully control everything about the device. They even go at great length to tell you how concerned they are about your privacy. When that fails, isn’t it worse somehow?

    1. No, it is not “worse somehow.”

      First, Apple is actively trying to preserve and protect your privacy and give you control over it. That fact, alone, outweighs every other consideration.

      Second, you are assuming that Apple has “failed” somehow. This particular scenario involves the user loading an app and granting camera permission and the app being in the foreground (i.e. active). Is that Apple’s fault? Perhaps Apple should provide additional granularity on camera permissions? Perhaps, as MDN offers, camera permissions should expire periodically to remind you that you are intentionally granting them.

      Third, you specifically state that Google charges no money for Android, but Apple charges a lot of money for the integrated experience. But iOS does not cost anything, same as Android. And the cost of “comparable” smartphones – say the Galaxy S8 and the iPhone 8/8 plus flagship devices- are virtually the same. So, according to your argument, the choice is between a company that is aggressively collecting personal data and a company that is actively attempting to protect your personal date – for the same general cost.

      Think about that, applecynic. Consider how foolish your argument actually sounds. Ask yourself why you bother to attempt to use BS to influence the minds of people who are thinking far more clearly than you and also understand the situation better than you. Then give up and go elsewhere.

        1. First off you can get a $100 Android phone. So kiss that one goodbye. iOS is no more free than the engine in my car.

          Anytime Apple fails to deliver on what they promise is their failure. They own it. Who else does? They’ve set an expectation too. Yea they will fix it.

          Now just own it.

          1. “First off you can get a $100 Android phone. So kiss that one goodbye. iOS is no more free than the engine in my car.”

            Strange, all our iPhone SEs were free, and the Android alternatives were also free, same monthly plans. Or I could have gotten higher end iPhones or Androids, again all the same price on contract.

            Kiss that one goodbye indeed 🙂 Idiot.

            1. Duh, we all know what you meant, but the normal real world cost of our smartphones is what we pay along with a plan from the carrier, so you’re wrong and everyone else is right. So sad.

              We all know our smartphones aren’t free, you’re not some genius who just figured this out. The price we pay in the real world for iPhones and Androids is the same.

            2. You really are an imbecile or dishonest. I’ll presume innocence and consider you an imbecile.

              You do realize that part of what you pay your carrier covers the cost of the phone, don’t you? It’s financing in disguise. When you own your phone outright, you can dump your carrier at will without penalties. Android runs the gamut on the market in pricing, but you knew that. They are not all Galaxies, and Notes, and V30, or G6s, etc…. That’s because there are MANY manufacturers.

              Did you or did you not say above that all your iPhone SEs were free, as were Androids. You’re lucky I stuck with imbecile.

            3. That’s exactlt what ThatDepends said “the normal real world cost of our smartphones is what we pay along with a plan from the carrier”, which is exactly what you said and what we all know. The cost of the phone and the cost of the plan together are what you pay.
              And so what if a phone is $100 without a plan. It is a $100 iPod until you get a plan or pay as you go.

            4. Okay, what you’re intentionally missing is that you pay LESS on your plan when you have your own phone. I paid full price for my unlocked Note 8, I always pay for my phone up front, I don’t get married to the carrier. This, so I can leave them at will, and have it carrier unlocked.

            5. “You do realize that part of what you pay your carrier covers the cost of the phone, don’t you? It’s financing in disguise. ”

              Yes, that’s why I already said it dummy.

              ivid pointed that out already, in case you have trouble understanding it. We all know our phones aren’t really free mouthbreather, everyone knows that, you’re not special in any way for telling us that. Like wow thanks for telling us our devices aren’t really free on contract applecynic, none of us already knew that, how did you get to be so smart holy cow!??!!

              The point is we’re all paying the same price for our phones, doesn’t matter if it’s an iPhone or an Android, and it doesn’t matter how many Android devices are available. I walk into the store and I say “Gimme a smartphone” and the carrier says “Here ya go that’ll be $50 per month and $0 for the device”.

              Could I get a cheap Android or used iPhone or an SE for $350 and pay as you go to save a bit on the monthly plan? Yes I could. I’ve done the math, it’s hardly worth it over the four years I’m going to be using my iPhone.

              Talk weak smack all you like, we’re all paying the same out of pocket to own our smartphones.

            6. Listen imbecile YOU said free… Got it?

              What you’re intentionally missing is that you pay LESS on your plan when you have your own phone.

              I paid full price for my unlocked Note 8, I always pay for my phone up front, I don’t get married to the carrier. This, so I can leave them at will. And I have six lines on a full boat unlimited LTE+ plan.

              So admit you were full of manure when you said you got them free. Now it’s $350… Make up your imbecile mind.

              And anyway that’s not the point… You can get an unsubsidized, paid off $100 Android phone, or even less. Possible because there are multiple manufacturers and Android does not cost money to use. However you cut it, you’re paying for iOS. And that’s fine, just admit it? Is your engine “free” schmuck?

            7. “Okay, what you’re intentionally missing is that you pay LESS on your plan when you have your own phone.”

              Not where I am, and I don’t know anyone that gets a deal just because they own their phone. Plans are the same whether you bring your own device or not so it makes no sense to buy your phone.

              If some carriers give you a deal for bringing your own device then you can just buy a used iPhone or an SE. Over four years the price difference is almost nothing so we’re back to iPhones and Androids costing the same, or so close to the same that only a moron would argue otherwise.

              Thanks for playing.

            8. Please, ’cause you know, I’m stupid. You walk into “Whoever Cellular” you pick a device that will cost $x per month if your not bringing your own, that gets added to a plan that costs $y per month, so every month you pay $x + $y. The number of months times $x will be the cost of the phone. So at least you admit it’s not free any longer, but your still paying money every month. Part of that goes to covering for iOS. Do you think Apple doesn’t charge you for iOS? Please don’t say no.

            9. “Listen imbecile YOU said free… Got it?”

              Yes, I did. Free as in you can go get a free device (or a better device for $50 or $100 etc) on contract, and it can be an iPhone or an Android, like almost everyone does, and everyone knows it isn’t really free, but there’s no cash out of our pockets.

              Man you really think you’re the smartest person in the room, like everyone doesn’t already know that our free devices aren’t really free. We just say they’re free because we didn’t pay a chunk of cash for the device. Got it?

            10. “You walk into “Whoever Cellular” you pick a device that will cost $x per month if your not bringing your own, that gets added to a plan that costs $y per month, so every month you pay $x + $y. The number of months times $x will be the cost of the phone.”

              That’s not how it works where I live, and in most of the country where I live. The monthly plan costs X and that doesn’t change if you bring your own device.

            11. “No I just recognize that it costs a chunk of cash, and you still pay for iOS.”

              And Google pays for Android by selling advertising. Both companies cover the cost of the OS. And?

              Where I live there’s no extra cost for an iPhone over an Android. The monthly plan is the monthly plan, doesn’t change based on whether you bring your device or whether that device is an iPhone or an Android. From what I’ve read that’s true in a lot of North America.

              And if it isn’t true everywhere you can just get a used iPhone or an SE and the four year cost difference isn’t enough to worry your pretty little head.

              “That way you can leave your carrier without penalty or repercussion. You know, not locked in.”

              After two years I’m not locked in either, that’s the law. Where I live there really is no point in buying your device outright, you don’t save any money and most people aren’t jumping carriers every six months.

            12. “And Google pays for Android by selling advertising. Both companies cover the cost of the OS. And?”

              I said that in my initial statement, you pay one with money and the other with data. When you pay with money, you have more of an expectation of privacy.

            13. “When you pay with money, you have more of an expectation of privacy.”

              Not me. Maybe you’re just gullible and think it’s okay for Google to respect you less just because you didn’t pay a few cents more per month for your device. Over four years of owning a smartphone you’re ranting about pennies. Maybe you need a job?

              But where I live there isn’t even a price difference. I’m getting iOS for the same price as Android where I am.

            14. I think you realize I would have an iPhone if I wanted one. I now have two iPads, for the stylus alone. Never had an iPad before those.

              Reasons….?
              I want to control and administer my device. I don’t want to be forced to use my club membership., I don’t want to abide by the club’s rules.

              Less of an issue now is I want an SD slot. I do use them.

              Non upgradability of their PCs. So you know I have my version of the Mac Mini, its a Hexacore Mac Pro (2013). My “real” Mac mini is my ATV at our small summer home.

              I have a major personal axe to grind with Apple’s arrogance and now rescinded policy on restocking fees (12 hours) and a nice class action check over bullshit “water damage”. I confess, I find Cooks Apple more palpable than that OCD’s Jobs.

              Why am I telling you all this…

              I’m not a fan of Android, it’s the only viable alternative. I also have the last good Windows phone a Lumia 950XL, but market forces have spoken other wise.

            15. “Reasons….?
              I want to control and administer my device. I don’t want to be forced to use my club membership., I don’t want to abide by the club’s rules.”

              You’ve lost the plot. KingMel’s original point, “the cost of “comparable” smartphones… are virtually the same” is correct. But continue ranting, it’s entertaining.

            16. And I was highlighting the OPTION of less expensive phone. KingMel’s “comparable” was arbitrary. Why comparable? Cost of OS does influence retail price.

              If we wanted comparable we would have to judge the Android $100 phone with the Apple $100 phone which does not exist, and cannot exist. An unnecessary limitation.

            17. “And I was highlighting the OPTION of less expensive phone. KingMel’s “comparable” was arbitrary.”

              For many people (most people in North America probably) KingMel is correct, iPhones and Androids cost the same.

              “If we wanted comparable we would have to judge the Android $100 phone with the Apple $100 phone”

              I can do that right now, just walk into any place I can buy smartphones and ask what phones I can get for $100 and they’ll tell me what iPhone model is $100 on contract and what Androids are $100 on contract, and bringing my own device doesn’t change that at all. I can opt to not have a contract as well, that also doesn’t change the pricing options.

              I could also get a used iPhone for $100 which I bet stacks up very well against a brand new $100 Android phone. But why would I when devices are all the same price on contract and the monthly price stays the same whether I bring my own device or not?

            18. Okay, unless you tell me where I can get an iPhone where the total payments are $100, I will promote you from imbecile to liar. Oh, and while you’re out, get me the reference where a jailbroken iPhone infected a non-jailbroken one. Bugger off now, you have work to do, just to back up your own bullshit.

            19. “I have a major personal axe to grind with Apple’s arrogance”

              So now we get down to it, you’re mad as hell at Apple and you’re not gonna take it anymore.

              What a waste, spending all your time on forums like this pissing on everything Apple related. You’re a loser pal.

            20. “Damn that was lame”

              I agree, it is incredibly lame that you don’t know where to buy used iPhones. Hint, not just from Amazon. It’s also lame that you can’t admit when you’re wrong. You can buy an iPhone for $100, in good shape, and get lots of use out of it.

              The bottom line is that we’re all paying a very similar cost to own and use our smartphones, doesn’t matter if they are iPhones or Androids.

              I’m outta here, as I said before you’re straight up addicted to comment threads, you’re a zombie. I feel pity for your family and friends.

      1. Bravo! Well said.
        “Ask yourself why you bother to attempt to use BS to influence the minds of people who are thinking far more clearly than you and also understand the situation better than you.”

        Exactly.

        1. A major security flaw gets discovered in a product made by a self proclaimed security conscious company, that is the de facto IT department over it’s ecosystem, yet I don’t understand the situation.

          Granted, they will fix it, but what else is in that phone…

    2. “When that fails, isn’t it worse somehow?”

      Yes, much worse. Apple goes out of their way to promote security as a numero uno concern. So if they vulnerable along with Android, duh.

      The rabid fanboys will never agree as you have probably read the condescending and insulting post from the King of Apple fanboys.

      I don’t know about you, but I would take it as a badge of honor …

      1. It’s a fine kettle of fish, it is, when your protector doesn’t tell you to cover your camera with black electrical tape, because telling you so would reveal how weak a protector they are, how inept they are at the personal security they brag about, and how one of their main selling points is fooling you into thinking their product is fundamentally different when it isn’t.

        1. Which makes the fallacy of censorship as protector all that more egregious.

          “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.”-MDN (woops)

    1. Exactly WHAT happened here??? Nothing is different from the time of iPhone 4s (last one that Jobs introduced). Phone cameras had the same permissions back then as they have today.

      This is pure strawman. His demo app, no matter how cleverly disguised, would NEVER EVER pass into the iOS App Store. Apple pays special attention to apps that ask permission to use cameras and microphones, for this precise reason. Out of millions of apps on the store, and nine years of the store’s existence, there has yet to appear ONE single app that does this.

      This is the most blatant and obvious form of FUD by a crappy competitor.

      1. Didn’t Uber’s App have special permissions that were abused? Also wouldn’t have happened under Steve’s watch? Or maybe a measured choice because they really wanted Uber’s App in the App store?

    2. No one “has” to admit anything to you, botty, regardless of their personal opinions about Cook.

      You are beginning to get as bad and sad as applecynic in terms of the lameness of your posts. Your posts have almost always been partisan crap, but at least some of the older ones contained some valid content.

      And when the last time that you did not attempt to be “contentious” on this forum. You have always tried to stir things up.

      You should switch to tweeting, like your buddy Trumpanzee.

  3. I can’t understand here how anyone can think this is anything other than massive grandstanding and bull$h!t form a competitor. Let us deconstruct the whole idea.

    iPhone has two cameras. These cameras are there for a purpose: they allow user to take pictures with them. They also allow developers to use these cameras to deliver functionality that would benefit the user. There are literally hundreds of thousands of apps that use cameras in very creative ways: from scanning bar codes, to augmented reality (point your phone at a sign in English and it will super-impose text, in real time, in the same font and size in Russian, for example).

    Cameras provide users with great additional functionality. They provide app developers with opportunity to deliver amazing apps in that use these cameras in myriad creative ways.

    Obviously, malicious developers could potentially use these cameras to surreptitiously spy on the user.

    What this Google engineer cleverly left out is that this is only possible on Android. Apple vets apps, and they pay extra attention on apps that require use of cameras and microphone(s). The likelihood that an app that seemingly has a legitimate purpose for the user actually spies on the user is exceptionally low in iOS App Store. On Google Play? Much more likely.

    So, the point of his exercise is to point out that Apple’s hardware doesn’t have clear visual (or audible) cue / indication when an app is attempting to use camera(s) / microphone(s). It would be somewhat valid, if there were a meaningful level of risk of finding apps that actually maliciously surreptitiously use cameras outside of their actual, intended purpose. This Google engineer developed this demo app to prove his point, but he no doubt knows quite well that such an Apple would never ever slide past the App Store approval process.

    It would be engineering overkill, and most likely rather annoying to users, if their phones flashed or blinked, or beeped every single time an app needed to use cameras or mics to do something, just because there is a practically negligible possibility that an app may be doing something it isn’t supposed to.

  4. Creating a demo proves nothing. It would only be relevant if he were able to get that functionality into an app, get it approved for the App Store and then have it downloaded into normal user’s iPhones. You can download your own apps into associated iPhones as a developer, but to get such an app onto normal user’s iPhones means that it has to be downloaded via the app store, which in turn requires it to be previously checked by Apple.

    If Krause had created an app which did what he claims and then managed to get it approved for the App Store, then there would be cause for concern, but creating a closed demo on an iPhone is meaningless. The fact that he hasn’t submitted an App for approval is highly significant because it wouldn’t be approved and there would be no story.

    He can try and grab a few headline from people who don’t understand how Apple’s curated Apps function, but all he is doing is demonstrating how important it is to have Apps independently curated by Apple rather than allowing developers to do whatever they wish.

    1. Proof of principle stuff gets made all the time. The danger here is that it seems it would be pretty easy to slip in. What Apple checks when the app is going to take pictures? It exposed a vulnerability. Apple should thank the guy.

      1. That is precisely the point of the whole argument, and the point of major failure in the story of this engineer. The scenario is a reason for grave concern for Android, where apps can be installed and downloaded from anywhere, and where Google does a very cursory check before allowing apps on Google Play store.

        When Apple receives an app for approval that asks permission for camera and microphone access, they carefully review it to see if any data is surreptitiously transmitted by the app outside of its intended functionality.

        The ability for the apps to access the camera has been available for a very long time (practically since the beginning of App Store). There have never been apps that do what this demo is doing, because Apple never approved any such app into the store. We don’t know if anyone has ever attempted to submit such an app yet, but I have little doubt that it has been tried, most likely quite a few times.

        1. I do think it further distils down to how easy it might be to slip past Apple’s censors given the circumstances described. But your right, we don’t know about attempts.

          I would be laughing hard if someone made an app submission in assembly language, but we know that’s censored too… Oh well.

  5. My first thought after reading this is wouldn’t this same finding apply to Android phones? If so, why is only Apple cited? If not, what’s different in how Android apps work with the camera?

    My second thought is that I would grant apps permission to access the camera for a reason, so at least part of the time, I would be aware that they have camera access, and they need it only to capture an image which will later be saved to Photos. When they are not in the foreground, it appears they loose access.

    One suggestion is that, for apps which access the camera and have the functionality to send whatever they see to a remote computer, there should be a warning statement included with the app which requests camera access. That warning should also appear in the description in the App Store. Then the choice of whether to install the app, knowing what it will do to compromise your privacy, would be up to the buyer. That might disuade app developers from putting such uunctionality in their apps.

  6. ‘…any time the app is in the foreground…’

    That’s a PRETTY BIG CAVEAT! If you have an app using your camera IN THE FOREGROUND you’re most likely USING that feature. What apps that you’ve given camera permission to do you leave in the foreground without using said camera?

    Just get in the habit (if not already) of quitting camera-using apps when done using, and/or switch to any other app.

    Doesn’t seem that big of a deal to me.

    1. Would have to agree with you that quitting camera apps would probably be the best way to prevent such an App from using the camera unattended. However running in the foreground is only a big caveat if there is no programmatic way to force an App to the foreground.

  7. After frustration from other spy apps, I tried rootgate and found it super helpful. The software doesn’t crash and their support helped me in all the process. I’ve upgraded to one year license and feel safe what ever my kids doing on their Samsung tabs. You can mail rootgatehacks at tutanota dot com.

  8. I have used the tracker and it worked perfectly and the service provided was awesome. The tech guys were very helpful and fast (even with all my questions). The tracker lasts for a lifetime, I use it whenever I want again, best investment (I did get my answers) and the service was totally outstanding. I highly recommend the rootgatehacks company and service if you ever need to track anything or anyone. I will for sure come back for them again if ever needed in the future. You can google them for more information. You can mail them on rootgatehacks at tutanota dot com

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.