DetectLocations app

A rogue iOS application can gain access to limited geo-location information by obtaining image permissions and extracting GPS coordinates from locally-stored photos.

Fastlane Tools (now part of Google) founder Felix Krause spotted this loophole in the iOS permissions model last week. The mobile development expert contacted Apple and warned the company about the issue.

The problem, as Krause explains, is that iOS does not differentiate between apps that need permission to select a photo and apps that manage or edit images. They're all bundled under the same umbrella permission.

A simplistic application could trick users to give it access to the image management permission on the grounds that it needs to select a photo from the local library for a simple avatar, but in the background access all images and extract their EXIF metadata.

Image metadata is very detailed, can infer lifestyle choices

Among the data stored in an image's EXIF meta fields are details about the GPS coordinates where the photo has been taken, but also the physical speed in which the picture/video was taken, and exact time and date.

An attacker can use these details in various ways. A short list of ways this could be abused is below:

⬕ Get a history of the cities, countries, and other places a user has visited, as long as they took a picture there
⬕ Find the user's place of work, by figuring out where they are from 9 to 5
⬕ Get a complete list of the user's cameras and photography devices (which iPhones, Android phones, cameras) and how long they used each device
⬕ Use facial recognization to find out who the user hangs out with and who their partner is. Is the user single?
⬕ Understand the user's background: Did the user attend college? If so, which one? Did the user recently move from the suburbs to the city? Does the user spend a lot of time with their family? Does he visit healthcare organizations? If yes, then which one?

Krauser releases demo app

To prove his point that this permissions loophole is a serious deal, Krause coded an application named DetectLocations that extracts the user's image metadata and plots everything on a map.

Surprisingly, Apple even admitted the app on the App Store — most likely not realizing it's a proof-of-concept that shows that iOS needs better permissions.

"There should be separate permissions for selecting a photo and granting full access to the photo library," Krause says in a list of proposed mitigations. "An alternative approach would be to have an extra permission layer to access the picture's metadata."