Working around iOS’ location services permissions

iOS has a pretty good permission system that gives the user granular control on what personal data apps can access - things like location, contacts, calendars, pictures, etc. As far as I know, these permissions are bulletproof - there are no vulnerabilities there per se.

However, there are ways in which apps can work around them and still get access to things they shouldn’t. I feel like there’s a lack of awareness about this and the current permissions UI is dangerously flawed.

Location services and photos #

The native Camera app (and presumably third-party ones*) allows you to geo-tag your pictures with the location they were taken at. The idea sounds great in theory, and there isn’t much to be concerned about - your camera app is trusted, right?

The issue is, every single photo you’ve now taken has location attached which over time would give an attacker a pretty good idea of your whereabouts. They just have to grab all the locations, group nearby ones together (to account for GPS inaccuracies), and then rank the groups by frequency. The most frequent one has a good chance of being your home, for example.

This information will allow a malicious party to combine it with other information they have (from online tracking/stalking, compromised accounts, etc) to narrow it down further.

Face recognition brings yet another level of privacy violations by not just attacking you but also your friends; if you often hang out with someone and take pictures together, an attacker can use face recognition to figure out who is in the picture and infer the other person’s frequent location based on the fact this location is frequently seen in your photo library only when that person is in the frame.

How it works in practice #

Let’s say you’re a malicious company like Facebook or Google. You have a pretty good idea of the general whereabouts of everyone thanks to online stalking but some people are privacy-conscious and manage to evade the panopticon. Even when they install your apps, they deny location services access. How do you catch them anyway?

You make app that has a legitimate use for photo access, like Instagram or Google Photos. Everyone will grant you the required permissions no questions asked.

You can then silently sort though their pictures, gathering timestamps, locations and faces from them. Do most of the processing on the device as to not arise suspicion by using large amounts of bandwidth.

You can use face recognition to gain/improve the information you have on other users too and attach the location of the picture to their (“shadow”?) profile.

You can use the information you already have to clean up the data (remove outliers & false positives) and you end up with potentially years of private location history on a particular user (and anyone they’ve taken a picture with) without even requesting location permissions at all. Nobody in their right mind would wilfully give you this information, and yet here we are.

How to defend yourself #

One solution is to not give access to your photo library. On iOS, you can still import photos into apps that require them by using their Share Extension. This will give the app that particular picture only (and its location, if any) but will at least prevent the app from getting all your photos & their locations. Sadly, exporting photos out of apps will be a bit tricky unless they allow you to also use a Share Extension, which you can use to send the picture to a trusted app acting as a proxy to your actual photo library.

You should also disable geo-tagging in your camera app. This will stop the issue moving forward, but you’d still need to go through all your past pictures and remove the location from them. I am not aware of any easy way of doing this on the device itself, but you can export all your photos to a computer, use ExifTool to strip the location metadata from the pictures and then import them back.

Long-term solutions #

The main problem I see here the lack of awareness about this issue - iOS does not mention the long-term consequences when the Camera app asks to attach location information to photos, even though you’re essentially creating a liability that only gets worse the more photos you take.

iOS does not mention anything about past location history when an app asks for photo library access either - I think this should definitely be improved, at the very least.

One solution could be to have the OS transparently remove location from pictures accessed by apps unless explicitly told not to in the permission settings. The downside of it is that it introduces extra complexity, and users can be manipulated into granting the permission anyway.

A radical solution which I personally support would be to remove app’s direct access to photo libraries and force them to go through an OS-provided photo picker, offering a toggle for sharing the picture’s location. Not only will this solve the location leakage issue, but will also prevent malicious apps looking through your past pictures in the background and using other tricks (face recognition, etc) on them.

*I would not recommend trusting third-party camera apps with location access either. There’s a good chance they embed third-party analytics (that seems to be the trend nowadays) and some of those are provided by companies whose revenue is based on advertising & stalking, so it’s in their best interest to grab your location from any apps embedding their library.


Now read this

Three phone number leakage vulnerability

TLDR: a vulnerability in the Three network allows any app on your phone to get your mobile number without your consent - switch to the 3internet APN to defend against this. Today I noticed a quite worrying vulnerability that would allow... Continue →