A top iOS security researcher has uncovered yet another privacy loophole in Apple's mobile firmware.

Felix Krause, founder of Fastlane.Tools, said the way Apple's software handles camera access and recording is leaving many fans vulnerable to being spied on by apps on their gadgets without any notification or warning.

Krause explained today that because Apple only requires the user to enable camera access one time and then gives free rein without requiring a camera light or notification, a malicious application could go far beyond its intended level of access.

"iOS users often grant camera access to an app soon after they download it (e.g., to add an avatar or send a photo)," the researcher explained.

"These apps, like a messaging app or any news-feed-based app, can easily track the user's face, take pictures, or live stream the front and back camera, without the user’s consent."

The nightmare scenario, said Krause, is an app that is installed and asks once for camera access in order to take an avatar image or upload a photo, only to begin constantly watching the user and uploading the pictures covertly.

He noted that, under Apple's latest iOS version, an app can do things such as detect the presence of a second person, livestream pictures and video from both the front and back camera, and activate the facial detection toolkit, without the iThing's owner getting so much as an alert warning.

For now, Krause said, the only real way to prevent an iOS app from being able to record you without permission is to use a physical camera cover (such as a piece of tape or sticky note) to obscure the sensor hardware. Revoking camera access for apps and then using copy-paste or manually taking photos with the camera app and then importing them to other apps is also recommended.

On Apple's end, Krause said, the issue could be alleviated by introducing one-time access permissions for the camera and adding activity LEDs that indicate whenever the camera is in use and can't be turned off from within the sandbox that all third-party apps use on iOS.

This isn't the first time Krause has poked a major security hole in iOS. Earlier this month he showed how fake signin boxes could be used to harvest account credentials and in September he highlighted the ways metadata could allow apps to covertly track users. ®