Apple Camera Security Flaw ???

Your iPhone has a serious privacy concern that allows iOS app developers to take your photographs and record your live video using both front and back camera—all without any notification or your consent.

This alarming privacy concern in Apple's mobile operating system was highlighted by an Austrian developer and Google engineer, Felix Krause, who detailed the issue in his blog post published Wednesday.The issue, Krause noted, is in the way Apple's software handles camera access.Apparently, there is a legitimate reason for many apps, such as Facebook, WhatsApp, and Snapchat, to request access to your camera, in an effort to take a photo within the app.

So, this permissions system is not a bug or a flaw instead it is a feature, and it works exactly in the way Apple has designed it, but Krause said any malicious app could take advantage of this feature to silently record users activities.

iPhone Apps Can Silently Turn On Cameras at Any Time

Krause explained that that granting camera permission could enable iOS app developers to access:

both the front and the back camera of your device,
photograph and record you at any time the app is in the foreground,
upload the recorded and captured content immediately, and
run real-time face detection to read your facial expressions

and all without warning or alerting you in any way.

Since Apple only requires users to enable camera access one time when they are asked to grant blanket permission to an app and gives free access to the camera without requiring any LED light or notification, Krause explained that a malicious app could leverage this loophole to go far beyond its intended level of access to spy on users.

The researcher has even developed a proof-of-concept app only to demonstrate how a malicious app could abuse such permissions to silently take your pictures every second as you use the app, or even live stream video of your surrounding from your front and rear cameras without notifying you.

POC Video :

How to Protect Your Privacy?

Krause recommended Apple to introduce a way to grant temporary permissions to access the camera, allowing apps to take a picture during a limited period of time, and then revokes it after that.Another way is to introduce a warning light or notification to the iPhone that informs people when they are being recorded.

Most importantly, do not let any malicious app enter your smartphone. For this, always download apps from an official app store and read reviews left by other users about the app and its developer.

According to Krause, for now, the only practical way to protect yourself is to cover your camera, just like Facebook CEO Mark Zuckerberg and ex-FBI Director James Comey do.

Comments

My Life as Information security engineer Chapter 1: Tools

Hi folks, here I am going to share the tools list that I am using in my daily life cycle. NMAP Nmap (“Network Mapper”) is a free and open-source (license) utility for network discovery and security auditing. Basically, I will use it to discover the open ports and closed ports where I did Port Mapping in firewalls. We can use this in the local network as well as in the WAN network. Also with help of the NSE script, we do multiple things like vulnerability check, exploitation, etc., Ref: http://www.piratesshield.com/2017/11/nmap-network-mapper-securtiy-scanner.html CURL and WGET curl is a tool to transfer data from or to a server, using one of the supported protocols (HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP or FILE). Normally using this tool to analyze the website headers when my web security device blocking some dynamic content websites and to create the Application signature in IPS. Wget using to download files directly instead of opening and surfing the brow

AquaSec Container Security Solution ( DevSecOps ) - A quickView

What is AquaSec? The Aqua Platform is the leading Cloud Native Application Protection Platform (CNAPP) and provides prevention, detection, and response automation across the entire application lifecycle to secure the supply chain, secure cloud infrastructure, and secure running workloads wherever they are deployed. Solutions : Cloud Native Security Platform CSPM Cloud Security Container Security Kubernetes Security Serverless Security Cloud VM Security Dynamic Threat Analysis (DTA) Container Vulnerability Scanning Aquasec offers a 14days trial to learn the container security / Automated DevSecOps. Use this link to get free trail Sign In | Aqua (aquasec.com) How to start with AquaSec? Once login into the portal click the nine dots in the left-side top > Aqua Hub Then click the "Integrations" The Integration page has a lot of options to connect your container Platform Choosing your platform provides the required key to integrate. (follow the OEM documents ) The

Learn DevOps like a pro techie - PART 1

Usually, all DevOps trainers advise you to set up the LAB environment on cloud platforms (AWS, Azure, GCP, etc). But if you understand the technologies you can set it up easily on your super PC. PC REQUIREMENTS : (WARNING!) Processor : > = i3 (10th or 11th Gen) RAM : 8GB (minimum) Storage : SSD preferred TIPS: If you using win11 or win10 and performance is very slow means use the below script. Windows 11 only: https://github.com/builtbybel/ThisIsWin11 Windows 10 only: https://github.com/builtbybel/bloatbox The LAB mainly depends on the docker platform. So First, start learning the basics of Docker. Docker Basics: https://www.tutorialspoint.com/docker/index.htm KNOWLEDGE REQUIRED - Linux Knowledge (5/10) (installation of apps, editing scripts, user privileges, and troubleshooting) - Web Development (3/10) - Google Search and Stackoverflow (9/10)....... he he he......... UTILITY TOOLS AND PRE-REQUISITES - Install Window Terminal Preview

PIRATESSHIELD

Search This Blog