Pierluigi Paganini September 28, 2017

Developer discovered that iOS apps can read metadata revealing users’ locations and much more, a serious threat to our privacy.

The developer Felix Krause, founder of Fastlane.Tools, has discovered that iOS apps can access image metadata revealing users’ location history.

Krause published a detailed analysis on the Open Radar community, he explained that the app just needs to get permission to access the image library.

“If an app gets permission to access the image library, it will get full access to all image metadata also, including the exact location.” wrote Krause.
“This is a serious privacy issue, as third party camera apps that want to just store a picture the user took, will also get full access to all photos and their locations in their image library.”

The developer explained that it is too easy to access image metadata with the following procedure:

1. Ask the user for permission to access photo library
2. If approved, get a list of all the past locations using
```objective-c
PHFetchResult *photos = [PHAsset fetchAssetsWithMediaType:PHAssetMediaTypeImage options:nil];
 
for (PHAsset *asset in photos) {
 if ([asset location]) {
 // Access the full location, speed, full picture, camera model, etc. here
 }
}
```
3. Use that data to get a great understanding of what the user does

The expert also published a  proof-of-concept code at GitHub, he explained it was very easy to write it.

“Does your iOS app have access to the user’s image library? Do you want to know your user’s movements over the last several years, including what cities they’ve visited, which iPhones they’ve owned and how they travel? Do you want all of that data in less a second? Then this project is for you!

Download DetectLocations app

” reads the ReadME file in the repository.

The access to the image library allows the app to get the entire EXIF dataset that includes more than users’ locations.

The developer has demonstrated that is possible to access the following data: