Critical security issue, photos are available WITHOUT access !!!

Question

Created Oct ’22

Replies 3

Boosts 0

Views 1.2k

Participants 3

App is able to get photos without providing access to the photos. As a demo I created simple application with one VC, one button and one image view in it. And I was able to pick any image in photo gallery and present in the imageView.

iOS 16.0 reproduces on any iPhones

Here is a simple code example:

import UIKit
import Photos
import PhotosUI

class ViewController: UIViewController, PHPickerViewControllerDelegate, UINavigationControllerDelegate  {
    @IBOutlet weak var selectedPhoto: UIImageView!

    override func viewDidLoad() {
        super.viewDidLoad()
    }

    @IBAction func selectPhoto(_ sender: Any) {
        var configuration = PHPickerConfiguration()
        configuration.selectionLimit = 1
        configuration.filter = .images
        let picker = PHPickerViewController(configuration: configuration)
        picker.delegate = self
        self.present(picker, animated: true)
    }

    func picker(_ picker: PHPickerViewController, didFinishPicking results: [PHPickerResult]) {
        for result in results {
            result.itemProvider.loadObject(ofClass: UIImage.self, completionHandler: { [weak self] image, error in
                if let image = image as? UIImage {
                    DispatchQueue.main.async {
                        self?.selectedPhoto.image = image
                        picker.dismiss(animated: true)
                    }
                }
            })
        }
    }
}

Boost

Answer 1

Vadimkoz OP

Oct ’22

that is expected behaviour https://developer.apple.com/videos/play/wwdc2020/10652/?time=633

2

Answer 2

Claude31 OP

Oct ’22

I used to include such authorization in info.plist… But effectively, such access requires a "manual" selection by user through Picker. It is not an automatic finding by the app. Which means user knows he is accessing his photos (like Photo library is doing). So there is no security risk there.

0

Answer 3

Ptit-Xav OP

Oct ’22

As said in answers : the user can see the picture via the picker but the app can only access the picture that the user authorises it to see. The app by itself can not go through the entire library without the user explicitly authorises it.

0