Granting app permissions is something most of us do without a second thought. But, when you really think about it, should you be blithe in allowing such access?
This isn't even considering the kinds of things we all keep on our phones and I don't know about you but I don't want the world seeing my overwhelming collection of cute cats (among other things).
Software engineer Felix Krause is here to destroy our technological reverie (again) with his demonstration app that he recently published on GitHub (an Internet-based Git or version control repository and Internet hosting service used mainly for code).
Krause is the founder of developer tools repository FastLane. The company was purchased by Google early in 2017 according to AdWeek.
Krause had also previously identified an iPhone password prompt phishing loophole. He warned users about entering their password into the prompt without consideration because the prompt could be easily spoofed by malicious apps attempting to steal user information.
In his demonstration app published on GitHub, Felix endeavored to show the various things an app can use your smartphone’s cameras to do once given your permission to use them.
The app had the ability to use the front and the back camera on the device, record while the app is in the foreground, capture photos and video without alerting the user, then upload the pictures and video takes to a location of the app’s choice.
Lastly the app could execute real-time face recognition to map facial features.
Krause has even created a video that he uploaded to video platform YouTube demonstrating the above.
Video of Felix Krause's demonstration app on GitHub.
That sounds like a load of fun, but how worried should you be as a smartphone user?
Krause goes at length in his blog post that this should not be used in production – the Git instead is intended as a working demonstration of potential loopholes in the iOS app’s ability to utilize the cameras.
Apple has a very strict policy regarding user security and privacy, so it is unlikely that an app that actively employs such a method in stealth was ever approved by the company.
This does not include jail-broken devices or apps downloaded from outside of the app store, which could contain potentially malicious code that could hijack a user’s iPhone.
What does the software engineer suggest in terms of preventative measures that users can take to avoid problems like this in the future?
Krause has a few useful hints and one surefire way to make sure your hacked cameras never see your face.
One, users can place a camera sticker over the front-facing and rear facing cameras. Though this might be inconvenient for taking pictures, it does insure that the hacker sees nothing at all.
You can also revoke all camera access for all apps, though this is not as secure as above.
Third, always use the app’s built-in camera functionality and photo selection – do not give it access to your camera or photo roll.
While such capabilities are not a mystery to many iPhone (or smartphone) users in general, allowing apps like Stealth Cam and Easy Calc-Cam according to Motherboard, the main point of Krause’s demonstration is that any app that is granted permission to use the phone’s cameras can act in this way. If you didn't know what an app like Stealth Cam could do then perhaps the problem goes deeper than the iPhone. This isn't about apps that advertise this as a core functionality – it's about random apps with a built-in camera.
Some have suggested a device modification that would be simple to implement: The inclusion of a small LED light on the front and the back of the smartphone that lets the user know the camera is in use. This feature is present on Apple’s line of iMac computers, for example.