
Detect.location: Access iOS location data without actually having access - epaga
https://github.com/KrauseFx/detect.location
======
sib
I'll be the contrarian and ask why this is surprising? Of course if an
application has been granted access to files of type X, the application can
access those files and read / parse / write / etc those files and the data
contained within them.

As a user, I'd be pretty annoyed if I used Instagram, FB, Camera +, or one of
the many other camera or photo editing apps on my phone and they did not have
the ability to read and write the location data.

~~~
untog
> I'll be the contrarian and ask why this is surprising?

Because users aren't actually all that aware of there being location data
attached to their photos. If you told them that an app could stitch together a
relatively accurate map of where they'd been in a day based on the photos they
took, most users would be surprised.

~~~
adrr
There's a map in the albums showing where all the pictures were taken. Also
IOS creates memories(machine generated albums) with location names. You'll
have to be pretty naive to think it wasn't storing location.

~~~
untog
> You'll have to be pretty naive to think it wasn't storing location.

I think you'll have to be pretty naive to assume that users inherently realise
that "photos have location attached" automatically leads to "third party app
can read location in these photos" and can lead to "build a profile of you
based on your photo locations".

It's not that people can't put these things together, it's that they don't
ever really think about it. When you download a photo editing app you're
thinking about editing a photo, not about the metadata you might be leaking in
doing so.

~~~
chii
exactly - users don't use logical deduction to work out what information an
app is capable of inferring.

If i didn't give the app permission/information, it stands to reason that said
app shouldn't be able to infer, or deduce it. If the app is able to do so,
then they ought to be legally obligated to disclose this fact.

------
jrowley
Wow, I never thought about the privacy implications there. Creepy. I hope
apple comes up with a fix for this. Thanks to the creator for bringing this to
my attention!

------
tinus_hn
It used to be that apps that tried to get the raw images had to have
permissions to see the users location, otherwise the exif data would be
stripped.

Did this change?

~~~
stevenwoo
I remember when I uploaded photos in early versions of IOS, there was no
location data accessible to me when I looked at the files on our server. Not
sure what changed or if we never had access back then.

~~~
jsjohnst
How did you upload them? Apple strips location data when sent in an
mms/iMessage for example. Not sure what all avenues they do this for, but it
could be a related cause in your scenario.

~~~
stevenwoo
I just remember getting the image the standard way either from the library or
the last camera photo, then examining the data that got uploaded, and not
finding the location data. Then I think I looked at it in the debugger in
XCode and there was no location data there either. Our apps at that time had
location and photo permission and definitely could see the location
information in the IOS photo app for the same photos. Just wrote it off as a
quirk.

------
throw2016
Clever but its just symptomatic of a complete lack of ethical constraints and
an all out assault on users rights and privacy.

Its like going to your doc for a checkup only to discover they have stolen
your genetic information and peddling it to advertisers without your consent.

10 years ago spyware had meaning, now everyone seems to be building it and
worse completely indifferent to ethical questions around harvesting user data
and build intrusive profiles.

It's only a matter of time before there is a huge backlash against this
rampant unethical behavior by the industry and its clear we need tough
regulation and consequences.

~~~
LeoNatan25
> It's only a matter of time before there is a huge backlash against this
> rampant unethical behavior by the industry and its clear we need tough
> regulation and consequences.

Don’t count on it. Outside of the tech community (echo chambered here), people
seem to just not care. Otherwise Google and it’s products would not have been
so successful; all the click-bait adware nonsense would not have been
successful. People are cheap and just don’t want to pay for anything.
Regulation could solve this, but Google and Facebook have so much lobbying
power in the US, I fear nothing will change for the better, but, indeed, most
likely for the worse.

------
kylehotchkiss
Oh wow. Facebook and instagram _already_ have access to this collection of
location data then. This feels increasingly uncomfortable.

~~~
zitterbewegung
Foursquare buys location data from instagram and then resells it to companies.
Then they look at the location data and figure out that people are going to
places like an Apple Store and then they take appropriate actions.

See [https://www.bloomberg.com/news/articles/2017-08-31/you-re-
us...](https://www.bloomberg.com/news/articles/2017-08-31/you-re-using-
foursquare-all-the-time-you-just-don-t-know-it)

EDIT: Changed from Hedge fund to companies. Couldn't find source of Hedge
funds.

~~~
kccqzy
Buys data from instagram? Not in source given.

------
kccqzy
I’ve tried to mitigate this by not giving most apps access to my photo
library, especially since I use iCloud Photo Library and it has hundreds of
gigabytes of photos. Instead of using a photo picker implemented by the app, I
try to use (a) share sheets extensions by going to the Photos app first, or
(b) document pickers and then select my photo library as a source of document.

~~~
ryanschneider
Note the if you choose "Save Image" on a Share sheet in iOS 10, the app is
given full access to your Photo Library (you are prompted to allow it though).

Looks like this was restricted to write only access in iOS 11.

------
rhamzeh
This is ingenious! This is still a huge part of why privacy/security is still
a long way off across all platforms. The attack vectors are much more nuanced
and complex than the simplified permission system we think about

------
YurtleTheTurtle
There should be separate permissions for just photos vs photos with exif data.

------
peterburkimsher
It reminds me of PeteWarden's iPhone Tracker back in iOS 4, which took the
location data from the phone instead of the photos.

[http://petewarden.github.io/iPhoneTracker/](http://petewarden.github.io/iPhoneTracker/)

(I then wrote an AppleScript to use this tracking data to tag locations of
photos in my iPhoto library, because my camera at the time didn't have a GPS).

------
dorian-graph
It's possible to give permission for a single photo on iOS, as opposed to the
whole library—hopefully more apps will begin to be that fine-grained.

~~~
nacs
Is this an iOS 11 feature? I don't remember seeing this.

------
mosselman
Very creative, I like it and it creeps me out a lot! Whenever I am on my
computer and I upload something to most places I try to remember to wipe the
metadata, never thought of apps pulling this data straight out of the library
on my phone. Luckily I don't have many apps with access to photos to begin
with.

------
joe5150
I don't think the speed figures are accurate. I wasn't going 300+km/h when I
took this, lol.

[https://www.dropbox.com/s/fvgoo3qs3ku5eg0/2017-09-28%2000.45...](https://www.dropbox.com/s/fvgoo3qs3ku5eg0/2017-09-28%2000.45.02.png?dl=0)

------
CodeWriter23
The proposed solutions are a total sledge hammer approach. How about if you
want PHAsset to give you location information, you have to ask for the
Location Permission? Problem solved. Devs can use their custom pickers and
cameras and can’t spy information they haven’t asked permission for.

~~~
krausefx
Agreed, that's actually part of the proposal as well

> An alternative approach would be to have an extra permission layer to access
> the picture's metadata.

~~~
CodeWriter23
Actually, that's not what I said. It's location information, use the Location
Permission, not an additional permission. Why should I need to have an extra
permission beyond Photo Permission to get information like shutter speed,
aperture, and timestamp?

------
Jeremy1026
So not live location data, but still a pretty damn representative list of
location data.

~~~
cryptoz
The data is as live as the last photo taken. For many people, that's about the
same as any other 'live' location.

------
meitham
Isn't this issue applicable to Android as well?

~~~
NietTim
Yes, and every camera with EXIF data (and a GPS tracker) ever made.

------
curiousgal
This only works if you’ve given the camera app location permission allowing it
to geotag your pictures.

