http://bits.blogs.nytimes.com/2012/02/28/tk-ios-gives-developers-access-to-photos-videos-location/

February 28, 2012

Apple Loophole Gives Developers Access to Photos

By NICK BILTON

SAN FRANCISCO -- The private photos on your phone may not be as private as you think.

Developers of applications for Apple's mobile devices, along with Apple itself, came under scrutiny this month after reports that some apps were taking people's address book information without their knowledge.

As it turns out, address books are not the only things up for grabs. Photos are also vulnerable. After a user allows an application on an iPhone, iPad or iPod Touch to have access to location information, the app can copy the user's entire photo library, without any further notification or warning, according to app developers.

It is unclear whether any apps in Apple's App Store are illicitly copying user photos. Although Apple's rules do not specifically forbid photo copying, Apple says it screens all apps submitted to the store, a process that should catch nefarious behavior on the part of developers. But copying address book data was against Apple's rules, and the company approved many popular apps that collected that information.

Apple did not respond to a request for comment.

The first time an application wants to use location data, for mapping or any other purpose, Apple's devices ask the user for permission, noting in a pop-up message that approval "allows access to location information in photos and videos." When the devices save photo and video files, they typically include the coordinates of the place they were taken -- creating another potential risk.

"Conceivably, an app with access to location data could put together a history of where the user has been based on photo location," said David E. Chen, co-founder of Curio, a company that develops apps for iOS, Apple's mobile operating system. "The location history, as well as your photos and videos, could be uploaded to a server. Once the data is off of the iOS device, Apple has virtually no ability to monitor or limit its use."

On Apple devices, full access to the photo library was first permitted in 2010 when Apple released the fourth version of iOS. The change was intended to make photo apps more efficient. Google declined to comment on how its Android operating system for mobile devices handles this issue.

"It's very strange, because Apple is asking for location permission, but really what it is doing is accessing your entire photo library," said John Casasanta, owner of the successful iPhone app development studio Tap Tap Tap, which created the Camera+ app. "The message the user is being presented with is very, very unclear."

The New York Times asked a developer, who asked not to be named because he worked for a popular app maker and did not want to involve his employer, to create a test application that collected photos and location information from an iPhone. When the test app, PhotoSpy, was opened, it asked for access to location data. Once this was granted, it began siphoning photos and their location data to a remote server. (The app was not submitted to the App Store.)

The knowledge that this capability exists is not new, developers say, but it was assumed that Apple would ensure that apps that inappropriately exploited it did not make it into the App Store. Based on recent revelations, phone owners cannot be sure.

"Apple has a tremendous responsibility as the gatekeeper to the App Store and the apps people put on their phone to police the apps," said David Jacobs, a fellow at the Electronic Privacy Information Center. "Apple and app makers should be making sure people understand what they are consenting to. It is pretty obvious that they aren't doing a good enough job of that."

"We've seen celebrities and famous people have pictures leaked and disclosed in the past. There's every reason to think that if you make that easier to do, you'll see much more of it," Mr. Jacobs said. Not just celebrities are at risk, he added. "A lot of sites are trying to obtain images from everyday people and politicians to post online."

As the Apple Store has grown to include more than 600,000 apps, and with Apple facing pressure from Google and Android, some worry that the company is becoming less vigilant about monitoring app developers, exposing users to unnecessary risks and shoddy apps.

This month, Apple allowed a fake 99-cent Pokemon app into the App Store. Even though it offered only a series of Pokemon images, it became one of the most popular paid apps before it was removed by Apple.

Brian X. Chen contributed reporting.