A Google engineer has discovered an alarming flaw in iOS that allows any iPhone camera app to secretly take photos and record videos. These can then be quietly uploaded without your permission, and you’ll have no idea it’s happening.

iOS is considered the safest, most secure mobile operating system. Apple has done a tremendous job of fighting back malware and quickly fixing vulnerabilities. But oversights in certain features mean we’re still at risk of clever attacks.

Felix Krause, who recently discovered another flaw in Apple ID prompts, has found that any iPhone app with permission to access your camera can take and upload photos and videos without your knowledge or consent.

They can use both the front- and rear-facing cameras, live stream a video feed over the internet, and even run real-time facial recognition to detect features and expressions.

There are somewhat innocent ways in which this kind of practice can be used. For instance, an app could monitor your facial expressions to detect your mood, then offer content based upon it. But this should never happen without your consent, and a warning when it’s happening.

And there are plenty of other scenarios that are more malicious. How often do you use your phone in the bathroom? Would you continue to do so if you knew it could be live-streaming everything you do over the internet?

Krause lists a bunch of things developers could do with this freedom, and they’re all incredibly worrying.

One thing to remember

One important point to remember is that camera apps can only take photos when they are active in the foreground (when you’re using them). They cannot take photos or record video when they’re in the background and you’re using other apps.

You don’t have to worry about being spied on when you don’t have camera apps open, then. But when you’re using one, they could be snapping images and recording video without your knowledge. And who knows where that will end up.

And don’t forget that all kinds of apps have camera access. You’ll likely granted permission to things like Facebook Messenger, WhatsApp, and plenty of other titles that let you share images and video.

Krause has created an iOS app that demonstrates this issue. It’s not available from the App Store, but you can “very easily clone the repo and run it on your own device,” he explains.

After opening it and proving camera permissions, you are presented with a news feed in a fake social network app. As you scroll through it, you’ll see it become populated with images of your face, which are quietly being taken in the background.

“You realize you’ve been recorded the whole time, and with it, the app ran a face recognition algorithm to detect facial features,” Krause says.

You can protect yourself

Krause also lists some things you can do to protect yourself. The simplest solution is to revoke camera access from third-party apps, and only use the built-in Camera provided by Apple.

Alternatively, you could use stickers to cover your iPhone’s cameras until you want to use them.

The only real fix for this must be provided by Apple. Krause suggests that we should have the ability to grant temporary access (e.g. to take and share one photo). Or, an icon in the status bar that shows when the camera is active.

The other solution would require a hardware modification: Adding an LED alongside the iPhone’s camera lenses that lights up when they’re in use. Apple already does this on Macs.