Heads up community. I think I’ve discovered a major security bug in at least iOS 11.1:
Apps requiring a social media login from Instagram (maybe logins from Facebook, Google, etc. too) have full access to the Apple photos app with no method to turn off this full access in iOS settings. I’ve tested this on some social media apps like Live.Me and YouNow. I’ve also tested this on photo editing apps.
It appears apps that require a social media login are not being registered in Settings > Privacy > Photos AND Settings > General > Restrictions > Photos in iOS. These apps also fail to include a photo on/off access toggle in Settings > “the app(s) in question”. These apps/iOS 11.1 also fail to throw a required permission dialog box when the user requests a photo within the offending apps, even when iOS global photo permission is turned off, and/or Instagram read/write photo permission is turned off. This means these apps always have access to at least the Apple photos app.
- Again, apps requiring social media login have full non-granted, non-registered and always-on access to Apple photos.
- As of this writing, I do not know if this bug also allows apps requiring a social media login further non-granted and non-registered access to additional Apple apps like cameras, notes, email, etc.
- I called Apple and they are now aware of the issue.
- I have deleted any app which might of requested a social media account in the setup process.