Felix Krause, an Austrian Google engineer, created a test app called “watch.user” to prove an iPhone app with camera permission can secretly record you at any time without any indication by snapping images of your face. No light, no LEDs are required to capture.
The worst scenario can be an app that is installed and asks once for camera access in order to take an avatar image or upload a photo, only to begin constantly watching the user and uploading the pictures covertly.
Krause said “It’s a feature, not a bug and once you grant an app access to your camera, it can:
- access both the front and the back camera
- record you at any time the app is in the foreground
- take pictures and videos without telling you
- upload the pictures/videos it takes immediately
- run real-time face recognition to detect facial features or expressions
The Googler said he created watch.user to highlight a privacy loophole that can be abused by iOS apps and there are only a few things you can do now to protect yourself:
- The only real safe way to protect yourself is using camera covers: There is many different covers available, find one that looks nice for you, or use a sticky note, even Mark Zuckerberg covers his camera.
- You can revoke camera access for all apps, always use the built-in camera app, and use the image picker of each app to select the photo.
- To avoid this as well, the best way is to use Copy & Paste to paste the screenshot into your messaging application. If an app has no copy & paste support, you’ll have to either expose your image library, or your camera.
He furthur added that he reported the issue to Apple but the root of the problem can be fixed, either by showing an icon in the status bar that the camera is active, and force the status bar to be visible whenever an app accesses the camera or by offering a way to grant temporary access to the camera which apple has to do.