I admit, it's rare that the Security Clan Editor needs to hold Apple mobile devices up to scrutiny. Unlike Android apps, the apps sold in the Apple app store -- try saying that fast -- are subject to review before being released into the wild.
Sure, the possibility of "jailbreaking" the iPhone means it's not necessarily a closed operating system, and people can find ways to download unapproved and possibly malicious apps. We've also seen that a skilled hacker was able to plant a sleeper rogue app in the store.
But other than the allegations last spring of location tracking, Apple's mobile devices seem to have led a charmed life. Until now. According to a New York Times report, your iPhone, iPad, and iPod might be leaking like sieves, allowing apps to scavenge photos and location information, as well as address books.
Two weeks ago, Times reporters revealed that address books could be copied from smartphones by app developers without the owner's permission or knowledge. Wrong-footed, Apple insisted that its rules for developers expressly prohibited the practice, but it seemed unable to explain why apps that steal addresses had nevertheless been approved for sale.
Indeed, it seems that dozens of popular iOS apps, including Yelp, Twitter, and -- surprise! -- Facebook, have been collecting addresses and storing them on their own services, in a practice that has been described as an "unspoken industry standard." Few ask permission before doing so. FourSquare and Instagram added permission prompts only after the practice was exposed.
But addresses, it seems, may be the tip of the iceberg. Accepting an iOS prompt that asks permission to access location data can also allow copying of private photo and video libraries, the Times said yesterday. Because these devices often save coordinate information along with photos, it might also be possible to put together a user's location history, as well as recording current location.
Apparently in an attempt to make photo apps more efficient, access to private photos has been available since the fourth version was released in 2010. With the revelation that many apps were contravening Apple's rules against address-book scouring, suspicions are raised that apps that exploit the photo/video access floor may not have been excluded from the app store.
Given the steady stream of private photos of celebrities leaked online, there must be concern that this flaw could be contributing to intrusive privacy breaches. Apple has yet to comment.
The problem is clearly twofold. First, these incidents suggest that, although Apple moves quickly to fix security problems once they're disclosed, screening of apps prior to release may not be as stringent as once thought. Second -- and this is really the root of many problems discussed here -- there's the absolute lack of sensitivity to user privacy displayed by many high-profile Internet enterprises.
If it doesn't even occur to Facebook or Yelp or FourSquare -- or any of the other usual suspects -- that taking someone's address book without permission might be unethical, we can safely assume that, if they know about the photo flaw, they've been exploiting that, too.
Innocent until proven guilty, of course, but don't be surprised to find some of these businesses standing in line with creepy hackers to flick through your albums.
— Kim Davis , Community Editor, Internet Evolution