iOS Photo and Video Privacy Issues Highlighted with New Test Application

[Tinmania]

*Bangs head against wall*

He is right: you don't seem to understand.

The issue is not the popup. It is there for any app that accesses photos using that method. The only reason you must give permission is because of the location data within the photos. If photos never contained location data you would not most likely not be asked permission at all. The location warning, while confusing, is irrelevant to the fact that the whole camera roll can be accessed. Even without location data that could be used nefariously.

The issue IMO is how there is virtually no protection on the camera roll. You don't need an app to point that out. You can plug a passcode-locked iPhone into just about any computer and have full access to its camera roll--location data and all. The camera roll is not even walled in like most of the file system.




Michael

 

[kalsta]

He is right: you don't seem to understand.

The issue is not the popup. It is there for any app that accesses photos using that method. The only reason you must give permission is because of the location data within the photos. If photos never contained location data you would not most likely not be asked permission at all. The location warning, while confusing, is irrelevant to the fact that the whole camera roll can be accessed. Even without location data that could be used nefariously.

What are you actually trying to say here? Are you telling me, as someone else did, that full access to the photo library is a 'side-effect' of allowing the app to access location metadata? I get that, but calling it a side-effect is really just playing with words. If there is a direct causal relationship between allowing access to location information and giving complete control over your photo library, then the request for permission needs to clearly state this. For BaldiMac to say that 'the location warning is precise and explicit', only shows that he doesn't understand what the word 'explicit' actually means.

Or are you saying that apps have full access to the photo library even before an app asks for, or indeed is given, permission to access location information? Mate, I'm only basing my comments on what the article states, which is:

After a user allows an application on an iPhone, iPad or iPod Touch to have access to location information, the app can copy the user's entire photo library, without any further notification or warning, according to app developers.

If you guys can't see how this is a problem for the user, then clearly you have no appreciation for Apple's design philosophy of starting with the user experience, and engineering around that.

The issue IMO is how there is virtually no protection on the camera roll. You don't need an app to point that out. You can plug a passcode-locked iPhone into just about any computer and have full access to its camera roll--location data and all. The camera roll is not even walled in like most of the file system.

Indeed. If what you say is true, we have no argument there.

 

[BaldiMac]

What are you actually trying to say here? Are you telling me, as someone else did, that full access to the photo library is a 'side-effect' of allowing the app to access location metadata? I get that, but calling it a side-effect is really just playing with words. If there is a direct causal relationship between allowing access to location information and giving complete control over your photo library, then the request for permission needs to clearly state this. For BaldiMac to say that 'the location warning is precise and explicit', only shows that he doesn't understand what the word 'explicit' actually means.

Or are you saying that apps have full access to the photo library even before an app asks for, or indeed is given, permission to access location information? Mate, I'm only basing my comments on what the article states, which is:



If you guys can't see how this is a problem for the user, then clearly you have no appreciation for Apple's design philosophy of starting with the user experience, and engineering around that.



Indeed. If what you say is true, we have no argument there.

What you don't seem to understand is that the photos aren't what is being protected by the dialog. Location information is. Apps are supposed to have access to the photo library. If the photos did not (potentially) contain location data, you would not see a permission dialog.

 

[kalsta]

What you don't seem to understand is that the photos aren't what is being protected by the dialog. Location information is. Apps are supposed to have access to the photo library. If the photos did not (potentially) contain location data, you would not see a permission dialog.

So let me repeat what I asked Tinmania: Are you saying that apps have full access to the photo library even before an app asks for, or indeed is given, permission to access location information? Is that what you're saying?

 

[Zxxv]

Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A406 Safari/7534.48.3)

And drop box. If you want it to access your photos it wants location data. Where's it going? Why does it need location data to simply put photos into Dropbox?
or is it so Dropbox can use it to sell on for advertising etc?

It's not clear. I always thought asking for location data meant accessing the gps.

Can anyone clear that up? Thanks.

 

[Zxxv]

Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A406 Safari/7534.48.3)

What are you actually trying to say here? Are you telling me, as someone else did, that full access to the photo library is a 'side-effect' of allowing the app to access location metadata? I get that, but calling it a side-effect is really just playing with words. If there is a direct causal relationship between allowing access to location information and giving complete control over your photo library, then the request for permission needs to clearly state this. For BaldiMac to say that 'the location warning is precise and explicit', only shows that he doesn't understand what the word 'explicit' actually means.

Or are you saying that apps have full access to the photo library even before an app asks for, or indeed is given, permission to access location information? Mate, I'm only basing my comments on what the article states, which is:



If you guys can't see how this is a problem for the user, then clearly you have no appreciation for Apple's design philosophy of starting with the user experience, and engineering around that.



Indeed. If what you say is true, we have no argument there.

What you don't seem to understand is that the photos aren't what is being protected by the dialog. Location information is. Apps are supposed to have access to the photo library. If the photos did not (potentially) contain location data, you would not see a permission dialog.

This is getting confusing.

I download an app. Say quidco, or itv player. It asks to use my location so it can find stores I'm near. I give it
permission to use my location thinkibh it means to access my gps. It then has access to all my photos and my photo location data.

Does it sell this info?

 

[BaldiMac]

So let me repeat what I asked Tinmania: Are you saying that apps have full access to the photo library even before an app asks for, or indeed is given, permission to access location information? Is that what you're saying?

Theoretically. I'm not sure how it works in practice. The point is to protect the location data, not the photos.

If a gps app had an option for custom backgrounds, you would obviously give it permission to access location data when it starts as related to its navigation functions. It does not need any further permission to access your photos to choose a custom background.

It appears that Apple has committed to verifying with a user when each app wants to access a central database (contacts, photos, etc.) for the first time. You seem to think that is good. I think it's just "security theater", like the TSA. Something that makes the masses feel more secure, annoys most people, and ultimately does little to improve the security. It still comes down to simply trusting the developer with your data (or trusting Apple to vet the developer.)

And drop box. If you want it to access your photos it wants location data. Where's it going? Why does it need location data to simply put photos into Dropbox?
or is it so Dropbox can use it to sell on for advertising etc?

It's not clear. I always thought asking for location data meant accessing the gps.

Can anyone clear that up? Thanks.

The location data in this situation is the geotags embedded in the photos.

This is getting confusing.

I download an app. Say quidco, or itv player. It asks to use my location so it can find stores I'm near. I give it
permission to use my location thinkibh it means to access my gps. It then has access to all my photos and my photo location data.

Does it sell this info?

There has been no indication that any app in the App Store has done anything malicious with photo data.

 

[samcraig]

iOS already does more than any other operating system to protect your photos.

Proof point on this? Or is this just your opinion?

----------

There has been no indication that any app in the App Store has done anything malicious with photo data.

That doesn't mean it hasn't happened. It just means it hasn't been caught - IF one is.

 

[BaldiMac]

Proof point on this? Or is this just your opinion?

Besides the location data permissions that we are discussing that are enforced for geotags, iOS only allows apps vetted by Apple (regardless of the fact that they miss stuff.) Does any other OS do anything?

(Yes, I probably should have said "popular" OS, and did in an earlier post. I was thinking Mac, Windows, popular Linux distributions, and Android. There is probably some Linux distribution somewhere that locks every file down so you need to type in your password every time you access any file in the whole file system. )

That doesn't mean it hasn't happened. It just means it hasn't been caught - IF one is.

Exactly.

 

[Tinmania]

What are you actually trying to say here? Are you telling me, as someone else did, that full access to the photo library is a 'side-effect' of allowing the app to access location metadata? I get that, but calling it a side-effect is really just playing with words. If there is a direct causal relationship between allowing access to location information and giving complete control over your photo library, then the request for permission needs to clearly state this. For BaldiMac to say that 'the location warning is precise and explicit', only shows that he doesn't understand what the word 'explicit' actually means.

Or are you saying that apps have full access to the photo library even before an app asks for, or indeed is given, permission to access location information? Mate, I'm only basing my comments on what the article states, which is:



If you guys can't see how this is a problem for the user, then clearly you have no appreciation for Apple's design philosophy of starting with the user experience, and engineering around that.



Indeed. If what you say is true, we have no argument there.

You are right, I don't think there is an argument there.

But my fear is that the symptom here can be fixed without actually addressing the problem itself.

Basically there are two ways for an app to get photos. The first one is very simple: it just brings up a generic (Apple) photo picker and after you choose one it returns that photo to the app, with no metadata to speak of included. I have no issue with this method. After-all, you choose the exact photo the app receives. The users control photo access on a photo-by-photo basis.

The second method seems to have come from an entirely different mindset. It lets you--you as in app developer--to build your own photo picker and directly access the photo databases, including any imbedded metadata within the photos. It is only because of the potential location data included in that metadata that Apple demands the user first agree to it before allowing access. If you deny access to the location metadata you have therefor denied access to the camera roll for that app.

What some developers seem to want is for Apple to simply strip out the location metadata if you don't agree to the location prompt. That is where I have a problem. I don't want to just have to agree to the location data part: I want apps to have to ask for explicit permission in order to access the entire photo databases at all--location data or not.

Clearer?

Beyond that I think camera roll security needs to be taken more seriously. While anyone can take a photo with the iPhone locked, they can only view the photos they take--not all the photos previously taken. Why have that illusion of security when that same person could simply plug in the iPhone and see them all? At the very least when the iPhone is locked by a passcode it should not freely expose the camera roll via USB.



Michael

 

[BaldiMac]

You are right, I don't think there is an argument there.

But my fear is that the symptom here can be fixed without actually addressing the problem itself.

Basically there are two ways for an app to get photos. The first one is very simple: it just brings up a generic (Apple) photo picker and after you choose one it returns that photo to the app, with no metadata to speak of included. I have no issue with this method. After-all, you choose the exact photo the app receives. The users control photo access on a photo-by-photo basis.

The second method seems to have come from an entirely different mindset. It lets you--you as in app developer--to build your own photo picker and directly access the photo databases, including any imbedded metadata within the photos. It is only because of the potential location data included in that metadata that Apple demands the user first agree to it before allowing access. If you deny access to the location metadata you have therefor denied access to the camera roll for that app.

What some developers seem to want is for Apple to simply strip out the location metadata if you don't agree to the location prompt. That is where I have a problem. I don't want to just have to agree to the location data part: I want apps to have to ask for explicit permission in order to access the entire photo databases at all--location data or not.


Clearer?

Thanks for the simple description from a developer perspective!

 

[kalsta]

Theoretically. I'm not sure how it works in practice.

No worries. It's okay to say you don't know how it actually works. But given that you don't know, I do think it was unfair for you to keep insisting that I didn't understand. I was only basing my comments on what the article said.

The point is to protect the location data, not the photos.

Exactly. The intended purpose of requesting permission is to unlock location data, and that's what users can reasonably expect it does. If it does anything significantly more than that, then at the very least it needs to make users aware.

Better still, Apple provides a way for apps to access photo metadata without giving them unrestricted access to the images themselves. They're smart people at Apple. They can do it.

If a gps app had an option for custom backgrounds, you would obviously give it permission to access location data when it starts as related to its navigation functions. It does not need any further permission to access your photos to choose a custom background.

There's a very big difference between using a photo for a custom background, and sending a copy of the photo to a remote server. You might argue that the technical line between the two is minimal. Be that as it may, it's a continental divide in the eyes of the user! Like I said before, the very heart of the Jobsonian design philosophy is that you start with the user experience and engineer around it.

It appears that Apple has committed to verifying with a user when each app wants to access a central database (contacts, photos, etc.) for the first time. You seem to think that is good. I think it's just "security theater", like the TSA. Something that makes the masses feel more secure, annoys most people, and ultimately does little to improve the security.

Whether it proves to be 'good' or 'annoys most people' probably depends on how Apple implements it. And generally, Apple does a pretty good job of only bothering the user when it's important—unlike certain other OS vendors who we shan't mention here.

 

[kalsta]

You are right, I don't think there is an argument there.

But my fear is that the symptom here can be fixed without actually addressing the problem itself.

Basically there are two ways for an app to get photos. The first one is very simple: it just brings up a generic (Apple) photo picker and after you choose one it returns that photo to the app, with no metadata to speak of included. I have no issue with this method. After-all, you choose the exact photo the app receives. The users control photo access on a photo-by-photo basis.

Fair enough. I have no issue with that either.

The second method seems to have come from an entirely different mindset. It lets you--you as in app developer--to build your own photo picker and directly access the photo databases, including any imbedded metadata within the photos. It is only because of the potential location data included in that metadata that Apple demands the user first agree to it before allowing access. If you deny access to the location metadata you have therefor denied access to the camera roll for that app.

What some developers seem to want is for Apple to simply strip out the location metadata if you don't agree to the location prompt. That is where I have a problem. I don't want to just have to agree to the location data part: I want apps to have to ask for explicit permission in order to access the entire photo databases at all--location data or not.

Clearer?

I absolutely agree. And I'd suggest most users would agree with you too, that location information and complete access to the photo library are two very different concerns. Sure, there's that tiny bit of overlap there, because photos contain location metadata—but it certainly doesn't justify lumping the two together in an all-or-nothing approach.

Beyond that I think camera roll security needs to be taken more seriously. While anyone can take a photo with the iPhone locked, they can only view the photos they take--not all the photos previously taken. Why have that illusion of security when that same person could simply plug in the iPhone and see them all? At the very least when the iPhone is locked by a passcode it should not freely expose the camera roll via USB.

I agree. And so it seems we had no disagreement after all. See, that was easy!

 

[BaldiMac]

No worries. It's okay to say you don't know how it actually works. But given that you don't know, I do think it was unfair for you to keep insisting that I didn't understand. I was only basing my comments on what the article said.

But you still don't appear to understand.

Exactly. The intended purpose of requesting permission is to unlock location data, and that's what users can reasonably expect it does. If it does anything significantly more than that, then at the very least it needs to make users aware.

It doesn't do anything more than protect the location data. Read Tinmania's explanation again. The user has no reason to think that photos aren't accessible to developers. The only thing protected by the permission dialog is location data. There is just other stuff bundled with the location data that the user should assume is already accessible to developers.

Better still, Apple provides a way for apps to access photo metadata without giving them unrestricted access to the images themselves. They're smart people at Apple. They can do it.

I'm not sure what you are getting at here. Why would a developer want access to the metadata and not the photos?

There's a very big difference between using a photo for a custom background, and sending a copy of the photo to a remote server. You might argue that the technical line between the two is minimal. Be that as it may, it's a continental divide in the eyes of the user! Like I said before, the very heart of the Jobsonian design philosophy is that you start with the user experience and engineer around it.

Exactly. Which was my point that you said wasn't important. The problem isn't giving developers access to the photos, it's using those photos in ways that the user does not want. That's what can't be controlled by a permissions dialog. Once the developer has access to your photos, there is no way to prevent them from uploading them to a remote server other than curation.

Whether it proves to be 'good' or 'annoys most people' probably depends on how Apple implements it. And generally, Apple does a pretty good job of only bothering the user when it's important—unlike certain other OS vendors who we shan't mention here.

And, yet, here you are calling it a serious issue that Apple isn't bothering people more! The best solution to the actual problem is a better curation process and the quick removal of apps and banning of developers that maliciously violate the rules.

Asking permission to access your photos isn't helpful. It still comes down to an uninformed user having to make a decision on whether or not to trust a developer. The same decision they already made when they downloaded the app.

 

[Zxxv]

Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A406 Safari/7534.48.3)

This is why I wish I could write my own apps and software. Damn my lack of brain power as a youth

 

[kalsta]

But you still don't appear to understand.

It doesn't do anything more than protect the location data. Read Tinmania's explanation again.

What is it exactly that I don't understand? Do I not understand that iOS protects location information? Do I not understand that the purpose of the permission dialog is to allow an app to access that location information? Or do I not understand that location information is attached to photos? Or perhaps I don't understand that by granting the app permission to access location information, the user inadvertently grants the app permission to access photos too? Or perhaps I don't understand why you just keep repeating that I don't understand. Hmm… nope, I think I understand that too. To the casual reader, it gives the impression that you're smarter than I am. Well done.

So the user grants location permissions and inadvertently gives the app complete access to the photo library as well. You don't see this as a problem. I do. Evidently, Tinmania sees it as a problem too, despite you're trying to hop into bed with him. Whether this is a problem or not is what we're debating… or at at least we would be if you could get past this condescending BS of repeatedly questioning my comprehension abilities.

The user has no reason to think that photos aren't accessible to developers. The only thing protected by the permission dialog is location data. There is just other stuff bundled with the location data that the user should assume is already accessible to developers.

Now we get to what is essentially your whole argument, and this is where I strongly disagree with you. You say, 'the user should assume [photos are] already accessible to developers'. The user should assume?! Mate, I'm glad you're not a software designer at Apple, that's all I can say! You can insist that users all make the same assumptions you do, but what's the reality do you think? Neither of us have conducted a large-scale survey to discover what users really believe, but I'll bet you most iPhone owners assume that when they take a photo, it's not an open invitation for developers to grab a copy. The same with notes, address book information, and other potentially sensitive personal information.

I'm not sure what you are getting at here. Why would a developer want access to the metadata and not the photos?

I have no idea. The point is, accessing the user's location data and accessing their private photos and videos are two very distinct concerns, and ought to be treated separately.

Exactly. Which was my point that you said wasn't important.

No idea what you're referring to here.

The problem isn't giving developers access to the photos, it's using those photos in ways that the user does not want. That's what can't be controlled by a permissions dialog. Once the developer has access to your photos, there is no way to prevent them from uploading them to a remote server other than curation.

I've highlight the key words here. You seem to be saying that it's technically impossible for the iPhone to be aware of what data is being transmitted from within an app. You seem to be starting with what you perceive as the technical limitations, and building an approach around that. As I've said a number of times already, Jobs' design philosophy was to start with the user experience and tell the hardware and software engineers to make it happen. That approach, while it might drive the engineers mad at times, has given us products that simply would not have been possible otherwise. Again, I'm glad you're not a software designer at Apple.

And, yet, here you are calling it a serious issue that Apple isn't bothering people more!

Bothering them when an app tries to access the photo library without their knowledge? Yes! Bothering them when the app tries to send binary photo data to a remote server? Absobloodylutely!!

 

[Zxxv]

Now we get to what is essentially your whole argument, and this is where I strongly disagree with you. You say, 'the user should assume [photos are] already accessible to developers'. The user should assume?! Mate, I'm glad you're not a software designer at Apple, that's all I can say! You can insist that users all make the same assumptions you do, but what's the reality do you think? Neither of us have conducted a large-scale survey to discover what users really believe, but I'll bet you most iPhone owners assume that when they take a photo, it's not an open invitation for developers to grab a copy. The same with notes, address book information, and other potentially sensitive personal information.

I'll take that survey

I don't expect any app to get to my private data. Doubly so when that app is merely a portal to a website I could goto in safari.

Now i would expect apps to steal personal info on android but not on APPLE
Its one of the reasons I put me and my son on apple. You gotta trust someone. Apple appear to be the best of the bunch.

 

[BaldiMac]

What is it exactly that I don't understand? Do I not understand that iOS protects location information? Do I not understand that the purpose of the permission dialog is to allow an app to access that location information? Or do I not understand that location information is attached to photos? Or perhaps I don't understand that by granting the app permission to access location information, the user inadvertently grants the app permission to access photos too? Or perhaps I don't understand why you just keep repeating that I don't understand. Hmm… nope, I think I understand that too. To the casual reader, it gives the impression that you're smarter than I am. Well done.

I'm not trying to be condescending. Tone doesn't come across well on the internet. There is no reason to assume animosity. I'm just having a discussion.

The distinction that I am trying to explain is that users are not inadvertently granting permission to the photos themselves because the user had no expectation that the photos themselves were ever inaccessible to developers. Because no popular OS, ever, has made them inaccessible to developers. The ONLY information that iOS protects in this way to date is location information.

So the user grants location permissions and inadvertently gives the app complete access to the photo library as well. You don't see this as a problem. I do. Evidently, Tinmania sees it as a problem too, despite you're trying to hop into bed with him. Whether this is a problem or not is what we're debating… or at at least we would be if you could get past this condescending BS of repeatedly questioning my comprehension abilities.

Why is it a problem that developers have access to your photos? Seems to me the only problem is if they use those photos in a way that you don't want them to.

Now we get to what is essentially your whole argument, and this is where I strongly disagree with you. You say, 'the user should assume [photos are] already accessible to developers'. The user should assume?! Mate, I'm glad you're not a software designer at Apple, that's all I can say! You can insist that users all make the same assumptions you do, but what's the reality do you think? Neither of us have conducted a large-scale survey to discover what users really believe, but I'll bet you most iPhone owners assume that when they take a photo, it's not an open invitation for developers to grab a copy. The same with notes, address book information, and other potentially sensitive personal information.

Again, desktop OS's have always given the developers full access to the file system. Any program that you download on a Mac has the ability to completely wipe your home folder or upload it to the internet.

I have no idea. The point is, accessing the user's location data and accessing their private photos and videos are two very distinct concerns, and ought to be treated separately.

They are treated separately. Location data just happens to be bundled in photos.

No idea what you're referring to here.

My original point is that the problem is actually malicious developers, not developer access to the photo library. Limiting developer access to the photo library through a user permission is not going to stop a malicious developer. All they need to do is design an app that the user would believe needs access to the photo library. And that ignores the tendency of users to just hit "Okay."

I've highlight the key words here. You seem to be saying that it's technically impossible for the iPhone to be aware of what data is being transmitted from within an app. You seem to be starting with what you perceive as the technical limitations, and building an approach around that. As I've said a number of times already, Jobs' design philosophy was to start with the user experience and tell the hardware and software engineers to make it happen. That approach, while it might drive the engineers mad at times, has given us products that simply would not have been possible otherwise. Again, I'm glad you're not a software designer at Apple.

You have no idea what I do for a living. What you are suggesting isn't one of those "make it happen" kind of things. It's one of those "the solution is worse than the problem" kind of things.

Bothering them when an app tries to access the photo library without their knowledge? Yes!

That's what it appears Apple is going to do. I find it annoying and useless.

Bothering them when the app tries to send binary photo data to a remote server? Absobloodylutely!!

Unless you expect Apple to monitor all your traffic eek:!!!!) you are expecting something that isn't practical.

Again, the solution to the real problem of developers misusing personal information is curation and swift action against developers that violate the rules. The App Store already does this. It can be done even better.

Developers will definitely sneak stuff in, but if Apple and other watchdogs identify the problems quickly, the apps can be pulled and developers can be banned. As the process improves and circumvention techniques are identified, the financial incentive for malicious developers will degrade to the point that it's just not worth it.

 

[adder7712]

I think Apple should reveal app permissions before a user downloads it just like in Android.

You can verify to what extent the app is using other phone features.

 

[xStep]

Bothering them when an app tries to access the photo library without their knowledge? Yes! Bothering them when the app tries to send binary photo data to a remote server? Absobloodylutely!!

Unless you expect Apple to monitor all your traffic eek:!!!!) you are expecting something that isn't practical.

FYI: If a developer has access to your data and a network connection, all they have to do is obfuscate or encrypt the data before sending it through the connection to avoid monitoring. For Apple to monitor that, would require them to monitor an apps executing code and understand what that code does. As BaldiMac said, it isn't practical. If you could implement this science fiction, it would slow down your system.

 

[Zxxv]

Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A406 Safari/7534.48.3)

Private photos. Private notes. Private videos. What gives any dev the right to them?

 

[kalsta]

I'm not trying to be condescending. Tone doesn't come across well on the internet. There is no reason to assume animosity. I'm just having a discussion.

Condescension doesn't imply animosity. Anyway, let's leave it there and move on…

… users are not inadvertently granting permission to the photos themselves because the user had no expectation that the photos themselves were ever inaccessible to developers. Because no popular OS, ever, has made them inaccessible to developers.

You're making assumptions about the user again which I don't believe are warranted. You're saying there is a precedent, which has been set by popular operating systems like Windows and Mac OS. I don't think this applies. Firstly, this is a consumer device which people treat and use in a very different way than they use a traditional desktop operating system, and many owners of iPhones, iPod Touches and iPads are relatively new to computing, or in any case they are not aware of the precedent you refer to. Secondly, Apple has gone to great lengths to design and market these things as completely new kinds of devices. You and I both know that at its core the iPod Touch is really just another computer, running an operating system very similar to OS X on the Mac. But to the average user, it's something very different. And let's not forget the message Apple sends via its walled garden approach to selling iOS apps—Apple is worrying about these things so you don't have to.

But hey, we could argue this stuff all day and get nowhere. The only way to really know what the majority of users think is to conduct that survey.

Why is it a problem that developers have access to your photos? Seems to me the only problem is if they use those photos in a way that you don't want them to.

Okay fine. Please send me the keys and address to your home and car. That's not a problem is it? Seems to me the only problem is if I use those keys to break in and steal stuff. But I'm not going to do that.

My original point is that the problem is actually malicious developers, not developer access to the photo library. Limiting developer access to the photo library through a user permission is not going to stop a malicious developer. All they need to do is design an app that the user would believe needs access to the photo library. And that ignores the tendency of users to just hit "Okay."

The problem is thieves, not whether or not you leave all the doors of your home unlocked when you go out. Limiting access to your home is not going to stop a thief if they really want to break in.

But hey, it's a start, isn't it?

That's what it appears Apple is going to do. I find it annoying and useless.

So you're fine and dandy with an app accessing your photo library 'without your knowledge'? Well, okay. If that isn't a problem to you, I can't really argue with your personal opinion! But I reckon most people would rather know whether an app is accessing their photos.

The situation Tinmania described earlier, where an app uses a generic photo picker, is a good example where the user knows what is going on. Permission is being granted in an obvious and non-invasive way, so no warning dialog is needed there. But you insist that an app requiring permission to access photos is going to be oh-so-annoying. So tell me, under which conditions would an app need to access your photos without you telling it to? To put it another way, under which conditions would you be happy for an app to secretly access your photos? (You must have thought of such conditions occurring quite regularly, since you seem certain it would be very annoying for iOS to keep bringing this to your attention.)

FYI: If a developer has access to your data and a network connection, all they have to do is obfuscate or encrypt the data before sending it through the connection to avoid monitoring. For Apple to monitor that, would require them to monitor an apps executing code and understand what that code does. As BaldiMac said, it isn't practical. If you could implement this science fiction, it would slow down your system.

Sure. While thinking about this during the week, I had considered the possibility that an app could obfuscate the data. But that was not the context of BaldiMac's comment which I responded to. The context was the question of whether the user would be annoyed by all these invasive warning dialogs. I really do believe that most users would be quite grateful to receive a warning if an app was secretly accessing their photos or transmitting them to a remote server. Again, I would put it to you that Apple's design philosophy is to start with the ideal user experience and then work out the best way to make it happen.

There may always be ways for malicious coders to get around basic security measures if they really want to. But even a weak lock on your front door is probably better than no lock at all, no?

----------

I'll take that survey

I don't expect any app to get to my private data. Doubly so when that app is merely a portal to a website I could goto in safari.

Thanks for taking the survey! So far we have 100% of respondents in favour of apps requiring permission to access the photo library.

 

[Zxxv]

Wirelessly posted (Mozilla/5.0 (iPhone; CPU iPhone OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A406 Safari/7534.48.3)

No worries

The only time this is a good thing is if your the FBI CIA MI5, a private investigator or a newscorp writing apps and thus stealing photos, videos and notes.

 

[BaldiMac]

You're making assumptions about the user again which I don't believe are warranted. You're saying there is a precedent, which has been set by popular operating systems like Windows and Mac OS. I don't think this applies. Firstly, this is a consumer device which people treat and use in a very different way than they use a traditional desktop operating system, and many owners of iPhones, iPod Touches and iPads are relatively new to computing, or in any case they are not aware of the precedent you refer to. Secondly, Apple has gone to great lengths to design and market these things as completely new kinds of devices. You and I both know that at its core the iPod Touch is really just another computer, running an operating system very similar to OS X on the Mac. But to the average user, it's something very different. And let's not forget the message Apple sends via its walled garden approach to selling iOS apps—Apple is worrying about these things so you don't have to.

The last sentence that I highlighted in bold is my whole point! Apple is doing the job through curation that you want uninformed users to do through a dialog box.

Okay fine. Please send me the keys and address to your home and car. That's not a problem is it? Seems to me the only problem is if I use those keys to break in and steal stuff. But I'm not going to do that.

The problem is thieves, not whether or not you leave all the doors of your home unlocked when you go out. Limiting access to your home is not going to stop a thief if they really want to break in.

But hey, it's a start, isn't it?

Your analogies aren't actually considering the whole situation. We often invite people into our homes. An app that you choose to install is like a maid or handyman that you hire to perform a job for you. The App Store is the referral service that you trust to verify the credentials of the service provider. Do you think that most people follow the maid around the house to make sure they don't steal anything?

So you're fine and dandy with an app accessing your photo library 'without your knowledge'? Well, okay. If that isn't a problem to you, I can't really argue with your personal opinion! But I reckon most people would rather know whether an app is accessing their photos.

And, yet, they haven't cared for the last couple decades.

The situation Tinmania described earlier, where an app uses a generic photo picker, is a good example where the user knows what is going on. Permission is being granted in an obvious and non-invasive way, so no warning dialog is needed there. But you insist that an app requiring permission to access photos is going to be oh-so-annoying. So tell me, under which conditions would an app need to access your photos without you telling it to? To put it another way, under which conditions would you be happy for an app to secretly access your photos? (You must have thought of such conditions occurring quite regularly, since you seem certain it would be very annoying for iOS to keep bringing this to your attention.)

The obvious answer here is - I don't know all the situations where this would occur. That's the problem. Most consumers can't make an informed decision. All a malicious developer would need to do is design their app to give a spurious reason to access the photo library.

Sure. While thinking about this during the week, I had considered the possibility that an app could obfuscate the data. But that was not the context of BaldiMac's comment which I responded to. The context was the question of whether the user would be annoyed by all these invasive warning dialogs. I really do believe that most users would be quite grateful to receive a warning if an app was secretly accessing their photos or transmitting them to a remote server. Again, I would put it to you that Apple's design philosophy is to start with the ideal user experience and then work out the best way to make it happen.

So your solution would protect us from all those non-photo related apps that want to steal our photos, but do nothing to prevent the photo-related apps from stealing out photos.

There may always be ways for malicious coders to get around basic security measures if they really want to. But even a weak lock on your front door is probably better than no lock at all, no?

The lock is not what's in question. Developers only have access if you invite them in the house. The most valuable items (location data, phone access, messaging access) are in the safe. The only question is whether you trust them with the backing of Apple's vetting process. You think it is better to ask, after they are in the house... "Is it okay if I go into the bedroom? Is it okay if I go into the kitchen? Is it okay if I go into the bathroom? Is it okay to go into the closet?" Etc.

I prefer to say... "You have good references. Do what I hired you to do. If you break or steal something, you will lose your license."

Thanks for taking the survey! So far we have 100% of respondents in favour of apps requiring permission to access the photo library.

I'm pretty sure you'll understand that I vote against it!

 

[xStep]

Sure. While thinking about this during the week, I had considered the possibility that an app could obfuscate the data. But that was not the context of BaldiMac's comment which I responded to. The context was the question of whether the user would be annoyed by all these invasive warning dialogs. I really do believe that most users would be quite grateful to receive a warning if an app was secretly accessing their photos or transmitting them to a remote server. Again, I would put it to you that Apple's design philosophy is to start with the ideal user experience and then work out the best way to make it happen.

There may always be ways for malicious coders to get around basic security measures if they really want to. But even a weak lock on your front door is probably better than no lock at all, no?

How do you expect the system to know that apps are secretly taking an action. Magic?

Likely Apple will come up with some ideas, but they will be limited. For instance, they could require apps register for resource use such as the photo library and networking. By definition, a photo editing app would require access to the library to be useful. If it allows you to send postcards, then it requires networking. As the user purchasing that app, you understand its purpose and resource access. What you and Apple can't tell, is if an app is being malicious.

If you put too many warnings in, people will be annoyed, and it causes a poorer user experience. Windows Vista proved it. As mentioned, you can't warn what an app is secretly doing.

At some point, regardless of how many blocks are placed in front of apps, you have to have some blind faith that the apps you purchase are not being malicious.