Thursday, November 09, 2017 by Jhoanna Robinson
You just had a really bad breakup and now refuse to take calls from your ex. You refuse to text. You even refuse to respond to Facebook messages. Unluckily for you though, your ex might still be able to know exactly what you’re doing and where you are — especially if you’re an iOs user. According to Google engineer Felix Krause, there is a loophole in Apple’s permission system which exploits camera access, allowing their apps to take a picture of their users every second and then upload these images online. Krause — quite harshly — exposed this glitch by developing the watch.user concept app that did such actions.
The only way that you can safeguard yourself against this malicious app is by shielding your camera’s viewfinder by using a cover. You can also take back camera access for all apps. “Always use the built-in camera app, and use the image picker of each app to select the photo,” Krause, researcher and founder of FastLane.tools, said.
When an app wants to gain control of your phone’s camera and its storage – for example, to take a profile photo during set-up — the app must first gain your permission to do so. But once you’ve given access, the app can take photos and videos of you via the phone’s camera or access your phone’s storage data, any time it wants to, making you vulnerable to cyber criminals.
Apps may have a perfectly reasonable explanation for wanting to gain access to your camera. This can be to allow the app to take a photo of you, send the photo within the app, or even add an avatar to your account name. However, because Apple’s permission system is not fool-proof, once you have given permission to these apps, it can just take your photo anytime it wants, without warning you that it would do so, and definitely without informing you that it did.
If you’re confident that you would never give an app the access to your camera phone, think again. Messaging services like Facebook Messenger, Telegram, or WhatsApp may already have permission to access both your image library and your camera. You might have unwittingly given them access when you calibrated your accounts’ privacy settings.
“iOS users often grant camera access to an app soon after they download it (for example, to add an avatar or send a photo). These apps, like a messaging app or any newsfeed-based app, can easily track the user’s face, take pictures, or live stream the front and back camera, without the user’s consent,” Krause said.
Other ways that cyber criminals may take advantage of this loophole is by determining a user’s location based on the image data and running facial recognition on still frames to determine the user’s identity.
Krause said Apple should think about protecting its consumers more. He stressed the need for the company to bring in a system of temporary permissions to halt the unscrupulous activities of some apps by installing a permission system that would allow apps to take a picture during the set-up process but revoke said ability after a period of time.
“Offer a way to grant temporary access to the camera (for example, to take and share one picture with a friend on a messaging app) [or] show an icon in the status bar that the camera is active, and force the status bar to be visible whenever an app accesses the camera.”
Krause also suggested that Apple use a Mac-style light-emitting diode (LED) on the front of the phone which automatically lights up whenever the phone camera is being accessed. However, with Apple having already replaced a somewhat wide iPhone “forehead” with iPhone X’s teeny notch, and no doubt having plans to take away even this tiny piece in no time, consumers can’t count on using the LED.
One way in which you can make sure of the security of your phone is by enabling a two-factor authentication (2FA) system in your phone. This is an efficient way to do so, as a lot of companies that deliver online services, from Apple to Amazon, currently make use of 2FA, said University at Buffalo, State University of New York associate professor of communication Arun Vishwanath.
The way that this approval system works is it ensures that you type in proper credentials on one device or account, and then verify that you are the individual that is logging onto the device or account by gaining access to yet another device or account.
For instance, if you try to access a device or an account, the system will ask for a login and password just like usual – but then it sends a numeric code to another device that you registered to the first device or account, using text message, an electronic message, or a specialized app.
If you cannot provide the numeric code that was given to the second device or account, the login to the first device or account is refused. This makes it so much more difficult to infiltrate another person’s device or account. (Related: All private phone calls, text messages exposed by fatal flaw in global cellular network.)
People who often access the Internet using their own devices would also do well to subscribe to a virtual private network (VPN) service, some of which are free, and utilize this pathway whenever connecting a device to a public or unknown Wi-Fi network. This is because a VPN service encrypts digital communication that has been sent from and to your device, making it hard for hackers to trace the source of the communication or copy its contents.
Also, most computers, phones, and tablets employ a built-in activity monitor that enables users to glimpse the device’s memory use and network traffic in real time, for instance, which apps are receiving and sending internet data. An activity monitor can make it easier for you to view an activity that shouldn’t have transpired using your device, thus allowing you to take prompt action, like deleting an offending app.
For more stories on technology and how it affects our day-to-day lives, visit Computing.news.