It can continue to use the camera even after the intended use is done and over. For instance from the Facebook app you take a pic to post. But if Facebook wanted to be evil that allows the app to continue recording images that you would not have explicitly authorized and continue doing so minute by minute with no way for a user to know it was happening. That's what he brought to Apple's attention. The camera permission does not restrict the camera use to only what the user would intend to grant it.
Err, if the app is in foreground then it is actively used. How would you distinguish between "intended" and "unintended" use?
Well an obvious example would be if you did not intend for it to be surreptitiously taking a photo of you and your surroundings while your were using it, or while reading a news item in the feed not have any idea it was video-recording your reaction to it.
You didn't answer the question. 'if the app is in foreground then it is actively used. How would you distinguish between "intended" and "unintended" use?'
You simply gave another off=the=wall hypothetical like: I discovered a new use for baseball bats. To break windows!!!! We should design baseball bats to know when they are being used to break a window and turn to water.
OK try this one. You're reading some Facebook posts. At the same time Facebook is secretly video-recording your reaction to them since you did give Facebook permission to use your camera every time you open their app. Would that be an intended use of yours or an unintended one? I believe that answers your question sir.
I've often went into settings and revoked access to microphone/camera/location/whatever after the initial requested use, purely to save on battery but it also has added security benefit - if I need to use those things again I will grant access and later revoke. Unless it's something that needs it to work... location in maps for example then it can remain on.
I’d say there are developers out there that might take advantage of this. Or a nefarious organization (country adversaries for example) buys small app developer and take advantage to spy on important people. It’s possibility but the probability of it happening is slim to none.
I work for a video conferencing company. I assure you that the reason we ask for permission to use the camera is so that we CAN take your picture and send it to the server. That's what it is supposed to do.
That being said -we do have a button that turns the camera on and off. I think what Mr Sad Face is really saying is that our app could turn the camera on without the user's explicit knowledge. The framing of his argument should have been more along the lines of, even if the user trusts the app, there is no way for the user to know if the app has turned the camera on. The way it was presented is apps that have been explicitly trusted should not be trusted and that this is some kind of exploit. He should rightly be mocked for that.
OMG!!!! Stop the presses... An App with permission to use the camera can.... OMG!!!! USE THE CAMERA!!!!.
Is this a serious news item?
It can continue to use the camera even after the intended use is done and over.
Yes, it can even start recording once you open the app again, without you knowing it. The same can happen with a microphone or any photo library access both on iOS as well as on Android. Once you granted the permission, that app retains it and CAN use it any time of day, until that permission is revoked by a user. That is exactly how that both OSs work.
It can continue to use the camera even after the intended use is done and over. For instance from the Facebook app you take a pic to post. But if Facebook wanted to be evil that allows the app to continue recording images that you would not have explicitly authorized and continue doing so minute by minute with no way for a user to know it was happening. That's what he brought to Apple's attention. The camera permission does not restrict the camera use to only what the user would intend to grant it.
Err, if the app is in foreground then it is actively used. How would you distinguish between "intended" and "unintended" use?
Well an obvious example would be if you did not intend for it to be surreptitiously taking a photo of you and your surroundings while your were using it, or while reading a news item in the feed not have any idea it was video-recording your reaction to it.
You didn't answer the question. 'if the app is in foreground then it is actively used. How would you distinguish between "intended" and "unintended" use?'
You simply gave another off=the=wall hypothetical like: I discovered a new use for baseball bats. To break windows!!!! We should design baseball bats to know when they are being used to break a window and turn to water.
OK try this one. You're reading some Facebook posts. At the same time Facebook is secretly video-recording your reaction to them since you did give Facebook permission to use your camera every time you open their app. Would that be an intended use of yours or an unintended one? I believe that answers your question sir.
You’re becoming desperate. I felt someone should tell you.
So majority of people in this forum TRUST not just Apple, but ALSO THIRD PARTY developers 100%. Trusting Apple and the built-in iOS apps - I can understand. Trusting unknown third party developers without even an iota of doubt??? Sounds insane to me. Hopefully, Apple does NOT think like AI forum members and see what can be done to prevent a rogue Third Party developer from misusing the Permissions granted by end-users.
So majority of people in this forum TRUST not just Apple, but ALSO THIRD PARTY developers 100%. Trusting Apple and the built-in iOS apps - I can understand. Trusting unknown third party developers without even an iota of doubt??? Sounds insane to me. Hopefully, Apple does NOT think like AI forum members and see what can be done to prevent a rogue Third Party developer from misusing the Permissions granted by end-users.
Apple does that since the very beginning with AppStore. Such an inappropriate camera use cannot escape AppStore review process. Does that guy really believe that Apple engineers are idiot to not think about that and as a bright young urban entrepreneur he is the first to figure it out?
Not sure there’s a problem to be solved to be honest.
If people are that worried then they can cover the lense with their thumb.
Does it occur to you that there is a question of WHOM to TRUST? Not just Apple OR ANYONE who develops for iOS store? Trusting Apple - Yes. Anyone who develops for iOS? No. If you are going to TRUST each and every developer out there, there is NO need to have vetting process for publishing an App, right?
So majority of people in this forum TRUST not just Apple, but ALSO THIRD PARTY developers 100%. Trusting Apple and the built-in iOS apps - I can understand. Trusting unknown third party developers without even an iota of doubt??? Sounds insane to me. Hopefully, Apple does NOT think like AI forum members and see what can be done to prevent a rogue Third Party developer from misusing the Permissions granted by end-users.
Apple does that since the very beginning with AppStore. Such an inappropriate camera use cannot escape AppStore review process. Does that guy really believes that Apple engineers are idiot to not think about that and as a bright young urban entrepreneur he is the first to figure it out?
Nobody in this forum talked about AppStore review process "preventing" it from happening so far. Everyone was ABSOLUTELY FINE with "inappropriate camera use" for reasons known only to them.
It can continue to use the camera even after the intended use is done and over. For instance from the Facebook app you take a pic to post. But if Facebook wanted to be evil that allows the app to continue recording images that you would not have explicitly authorized and continue doing so minute by minute with no way for a user to know it was happening. That's what he brought to Apple's attention. The camera permission does not restrict the camera use to only what the user would intend to grant it.
Err, if the app is in foreground then it is actively used. How would you distinguish between "intended" and "unintended" use?
So if I have facebook up and no intention of using the camera, could this malicious code be using the camera anyways without any indication it is doing so?
Sounds like it. Also sounds like someone would need to get an update through the app store with the malicious code so this is much ado about nothing.
Not sure there’s a problem to be solved to be honest.
If people are that worried then they can cover the lense with their thumb.
The problem is that this has been talked about and people will get worked up over it. So that makes it a problem Apple will probably need to address. They could do so with new LED (yeah right) or some minor code tweak taht doesn't really change anything but gives people a warm blanket that Apple is fixing issues.
Last time he outright lied when he showed an example of an App-created dialog box that looked like the Apple version to trick people into entering their password for their Apple ID.
On the surface it seemed reasonable. Until you realize Apps don’t have access to your Apple ID username/email. So it would literally be impossible for an App to present you with such an official looking dialog box. Yet that didn’t stop him from showing his created dialog box with an actual Apple ID email.
So majority of people in this forum TRUST not just Apple, but ALSO THIRD PARTY developers 100%. Trusting Apple and the built-in iOS apps - I can understand. Trusting unknown third party developers without even an iota of doubt??? Sounds insane to me. Hopefully, Apple does NOT think like AI forum members and see what can be done to prevent a rogue Third Party developer from misusing the Permissions granted by end-users.
I don't trust very many 3rd party apps. I do trust Apple to validate the code the apps are trying to release onto my phone or tablet. It all comes back to the Apple approval process, which is exactly why there isn't a single Google/Android device in my house. I don't trust them one iota.
Comments
You want to understand the motive here, look no further than this sentence.
"Researcher Felix Krause, founder of Fastlane.Tools, created the watch.user concept app to show how far the camera permissions could be pushed"
He just created free press for himself, and will use this help drive business for himself.
or some guy playing pocket pool.
That being said -we do have a button that turns the camera on and off. I think what Mr Sad Face is really saying is that our app could turn the camera on without the user's explicit knowledge. The framing of his argument should have been more along the lines of, even if the user trusts the app, there is no way for the user to know if the app has turned the camera on. The way it was presented is apps that have been explicitly trusted should not be trusted and that this is some kind of exploit. He should rightly be mocked for that.
That is exactly how that both OSs work.
If people are that worried then they can cover the lense with their thumb.
So majority of people in this forum TRUST not just Apple, but ALSO THIRD PARTY developers 100%. Trusting Apple and the built-in iOS apps - I can understand. Trusting unknown third party developers without even an iota of doubt??? Sounds insane to me. Hopefully, Apple does NOT think like AI forum members and see what can be done to prevent a rogue Third Party developer from misusing the Permissions granted by end-users.
Sounds like it. Also sounds like someone would need to get an update through the app store with the malicious code so this is much ado about nothing.
Last time he outright lied when he showed an example of an App-created dialog box that looked like the Apple version to trick people into entering their password for their Apple ID.
On the surface it seemed reasonable. Until you realize Apps don’t have access to your Apple ID username/email. So it would literally be impossible for an App to present you with such an official looking dialog box. Yet that didn’t stop him from showing his created dialog box with an actual Apple ID email.