I work on privacy research projects for the iOS platform in my free time. Those projects are in no way affiliated with my work or my employer.
My privacy research posts and tweets had more than 10,000,000 impressions within just a few weeks. The goal is to raise awareness of what technology can do, and educate on how you, as a user, can protect yourself.
I’m taking a short break on privacy related publications, and launch more projects in 2018.
Feel free to write about any of the topics below, make sure to read the original blog post linked, and feel free to use any of the images and videos provided on krausefx.com, as long as you reference the original blog post, including my name.
Every iOS app you ever gave permission to use your camera can record you any time it runs - without notice
Once you grant an app access to your camera, it can
- access both the front and the back camera
- record you at any time the app is in the foreground
- take pictures and videos without telling you
- upload the pictures/videos it takes immediately
- run real-time face recognition to detect facial features or expressions
- Have you ever used a social media app while using the bathroom? 🚽
All without indicating that your phone is recording you and your surrounding, no LEDs, no light or any other kind of indication.
Do you want the user’s Apple ID password, to get access to their Apple account, or to try the same email/password combination on different web services? Just ask your users politely, they’ll probably just hand over their credentials, as they’re trained to do so 👌
One of these is Apple asking you for your password and the other one is a phishing popup that steals your password.
Once the user grants access to the image library (e.g. to upload a single photo as a profile picture), an iOS app can
- Get a history of the cities, countries, and other places a user has visited, as long as they took a picture there
- Find the user’s place of work, by figuring out where they are from 9 to 5
- Get a complete list of the user’s cameras and photography devices (which iPhones, Android phones, cameras) and how long they used each device
- Use facial recognization to find out who the user hangs out with and who their partner is. Is the user single?
- Understand the user’s background:
- Did the user attend college? If so, which one?
- Did the user recently move from the suburbs to the city?
- Does the user spend a lot of time with their family?
Any website you’re visiting instantly gets access to your smartphone’s acceleration and gyro sensor values in real-time without asking the user for permission.
As a result, any website you visit, can do a pretty precise guess on if you are:
- taking a picture
- taking a selfie
- lying in bed, laying the phone on a table