User profile for user: florianemanuel
florianemanuel Author
User level: Level 1
4 points

Security Issue | App has access to all pictures without permission | Can someone reproduce this?

Hi

just found this issue, where an app can access all my pictures on the iPhone without asking for permission.

It works with Google Translate (Version 5.26.0, German AppStore)

1. Open Google Translate

2. Click on the camera icon in the app (no permission is allowed for the camera, check under: Settings>Translate)

3. Click on the down left corner on the picture icon of the app

4. All the pictures are accessible (it's not even asked for permission!)

5. You can browse and open any picture!

My iPhone: iPhoneX 256GB iOS 12.1.2 (16C101)



Phone 7 256GB, iOS 12.0.1 same issue.


I have two more Apps from Google installed: Gmail & Youtube.

Neither is allowed to access my pictures, still Google Translate is able to do it.

Can you reproduce this error?


This is how it works for me (yellow circle indicates click):

iPhone X

Posted on Jan 16, 2019 11:12 AM

Reply

Similar questions

6 replies
User profile for user: gothinkaboutthis
gothinkaboutthis
User level: Level 1
24 points

Jan 22, 2019 1:17 AM in response to florianemanuel

https://www.apple.com/business/docs/iOS_Security_Guide.pdf

Page 25 - Extensions, 2-3. Paragraf:

”A system area that supports extensions is called an extension point. Each extension point provides APIs and enforces policies for that area. The system determines which extensions are available based on extension point–specific matching rules. The system automatically launches extension processes as needed and manages their lifetime. Entitlements can be used to restrict extension availability to particular system apps. For example, a Today view widget appears only in Notification Center, and a sharing extension is available only from the Sharing pane. The extension points are Today widgets, Share, Custom actions, Photo Editing, Document Provider, and Custom Keyboard.

Extensions run in their own address space. Communication between the extension and the app from which it was activated uses interprocess communications mediated by the system framework. They don’t have access to each other’s files or memory spaces. Extensions are designed to be isolated from each other, from their containing apps, and from the apps that use them. They are sandboxed like any other third-party app and have a container separate from the containing app’s container. However, they share the same access to privacy controls as the container app. So if a user grants Contacts access to an app, this grant will be extended to the extensions that are embedded within the app, but not to the extensions activated by the app.”

Page 75 - Access to personal data:

“iOS helps prevent apps from accessing a user’s personal information without permission. Additionally, in Settings, users can see which apps they have permitted to access certain information, as well as grant or revoke any future access.”

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Security Issue | App has access to all pictures without permission | Can someone reproduce this?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up