Google engineers certify that users with "access to camera" in the iPhone application can hide users

Google engineers created an application that shows that it is possible to take pictures and record sounds from iPhone's camera so that users are not noticed by malicious iOS applications, Applications with access authority "all prove to be able to monitor users secretly.

iOS Privacy: watch.user - Access both iPhone cameras any time your app is running - Felix Krause
https://krausefx.com/blog/ios-privacy-watchuser-access-both-iphone-cameras-any-time-your-app-is-running

Google engineer proves any iPhone app with permission to access the camera is capable of spying
http://appleinsider.com/articles/17/10/26/google-engineer-proves-any-iphone-app-with-permission-to-access-the-camera-is-capable-of-spying

fastlaneFelix Clows who is a founder of Google and now is an engineer who works with Google, "an application to prove that all iOS applications that have access to the camera can monitor the user secretly" created.

According to Mr. Clouds, an application once granted access to the camera,foregroundIf you are in, you can take pictures and movies without notifying the user that "shooting pictures and movies" with sounds, lights, and other indicators. In addition, Mr. Claus claims to be able to upload photographs and movies taken without permission from the iOS terminal to the server.

The movie below shows how Mr. Clouds demonstrated demonstrating that using an application created for proof-of-concept demonstration that the camera was not activated, it was demonstrated that pictures were taken unnoticedly. Inside the movie, not only will you take pictures, you can upload the photos to any server without permission, track the movement of parts of the face such as the user's mouth, nose, eyes, contours, It is shown up to being able to judge the mood of the user.

watch.user: Access both iPhone cameras any time your app is running - YouTube


The source code is released on GitHub for the application used for proof of concept.

GitHub - KrauseFx / watch.user: Access both iPhone cameras any time your app is running


As Mr. Crows proved, if a malicious developer creates an iOS application seeking access to the camera, it is possible to specify the user's address based on the picture data and to search the image secretly obtained by the image It is possible to try to identify the user's personal information through.

The point to pay attention to is that the problem occurs only when the application is in the foreground, that is, when the application is in use. Even so, Mr. Clouds said that there is a possibility of causing a privacy problem, and indeed, it seems that many users are giving the camera, the SNS application, the message application, etc. access privilege to the camera. If malicious code is added to an application frequently used by such users, it will be possible to monitor the user for a considerable amount of time.

Clouds Mr. recommend "The only really safe deal method", to cover the camera lens at something, or remove all of the application that gave access to the camera, to use only Apple genuine camera app It seems to be said that.

Mr. Clouds has reported this problem to Apple, and it seems he presented a solution so that it will not be a long term problem.