A rogue iOS application can gain access to limited geo-location information by obtaining image permissions and extracting GPS coordinates from locally-stored photos.
Fastlane Tools (now part of Google) founder Felix Krause spotted this loophole in the iOS permissions model last week. The mobile development expert contacted Apple and warned the company about the issue.
The problem, as Krause explains, is that iOS does not differentiate between apps that need permission to select a photo and apps that manage or edit images. They're all bundled under the same umbrella permission.
A simplistic application could trick users to give it access to the image management permission on the grounds that it needs to select a photo from the local library for a simple avatar, but in the background access all images and extract their EXIF metadata.
Among the data stored in an image's EXIF meta fields are details about the GPS coordinates where the photo has been taken, but also the physical speed in which the picture/video was taken, and exact time and date.
An attacker can use these details in various ways. A short list of ways this could be abused is below:
To prove his point that this permissions loophole is a serious deal, Krause coded an application named DetectLocations that extracts the user's image metadata and plots everything on a map.
Surprisingly, Apple even admitted the app on the App Store — most likely not realizing it's a proof-of-concept that shows that iOS needs better permissions.
"There should be separate permissions for selecting a photo and granting full access to the photo library," Krause says in a list of proposed mitigations. "An alternative approach would be to have an extra permission layer to access the picture's metadata."