The way in which Apple sources and stores unencrypted user location data, often referred to as "locationgate
", has come under scrutiny over the last few months.
Over the last few weeks, the issue has moved on to third party access. It appears that Apple's software allows apps to download private information, such as address books, from phones based on location data without asking permission or notifying users.
According to a report in The News Tribune
, this hole in the system could also enable third parties to access and download photo libraries in the same way. It could also affect anyone using an iPad or an iPod Touch.
This seems to happen in instances where an app asks the user to confirm/turn on GPS location settings. Although users are aware that they are doing this, they are not made aware that this potentially gives the developer access to their address books and now, according to CNET
, their photos. This could allow a third party to download a complete photo library without the user knowing.
At this stage there is no evidence that any users have had this happen. We know it can happen because the New York Times' Bits blog
hired a developer to create an app, PhotoSpy, to test out the loophole. This successfuly downloaded photos once location data permissions were given.
Apple is changing its App Store terms to state that developers have to seek "explicit" permission before giving access to data. A fix may also come into a future iOS update, although there is no confirmation of this as yet.