iOS Apps with Camera Access Permission Can Spy On You


When it comes to security and privacy concerns, most of us think that only Android is vulnerable. In an ironical discovery, a Googler, Felix Krause, has proven that any iOS app that has been granted Camera access permission can actually spy on the user, without their knowledge. To clarify, Felix Krause says that he made this discovery during his free time and thus the discovery has nothing to do with his job at Google.

Back to the matter at hand, how can an app with camera access spy on you? Felix explains that once you grant an app access to your camera, it can:

  • Get full access to the front and back camera of an iPhone/iPad any time your app is running in the foreground.
  • Use the front and the back camera to know what you are doing at that moment and where you are located based on image data.
  • Upload random frames of the video stream to a web service, and run a proper face recognition software, which enables the developer to:
    • Find existing photos of you on the internet
    • Learn how you look like and create a 3D model of your face
  • Live stream your camera onto the internet.
  • Estimate your mood based on what you are looking at on the app
  • Detect if you are on your phone alone, or together with another person
  • Recording video using both the front and the back camera, while you use the app

All this happens, without any indication that the camera is active. Felix built an app to demonstrate this, the app is a fake social network site, after opening it, it asks you to upload a picture and thus you grant it camera access. After which, you are able to browse through a newsfeed and you will notice random pictures of yourself that were taken as you browsed through the feed. See video below:

There are two ways you can protect yourself from being spied on (if you’re the paranoid type), one of them is covering your camera lenses but since I know very few people would actually do this, the other way is revoking camera access permission from all the apps that requested it.

At the time of publishing, there’s no evidence that there’s any iOS app that is abusing this loophole. Felix says that he has already reported the issue to Apple with recommendations that apps be granted temporary permission to access the camera, thus, each time an app wants to access your camera, you would have to grant it this permission or show an icon on the status bar indicating that the app you’re on is using the camera.