Open Radar

 
Summary:
In recent years, iOS has made a concerted push to being privacy focussed. However, one area this is not the case is with the MediaPlayer framework and in particular the MPMediaQuery.songsQuery() method. With that one line of code, you can get the full metadata for every song in a user's library without them ever knowing. This information could be sent back to a server silently and then used for various nefarious purposes such as:

- Building up a profile of that user in order to produce targeted advertising
- Using the information as a reliable way of tracking someone across multiple apps (as it can act as a unique identifier)

In my opinion, access to the music library should be protected in much the same way as location, contacts, calendars, or photos are with a requirement from the developer to ask permission and for the user to be able to grant permission and subsequently revoke it via the standard iOS system preferences.

Steps to Reproduce:
1. Import the "MediaPlayer" framework
2. Run the code `MPMediaQuery.songsQuery()` and loop through the results

Expected Results:
The user should be asked for permission for you to access their music library

Actual Results:
All metadata can be pulled from the library without the user knowing

Version:
iOS 3.0 and above

Notes:
I make use of this feature in my app Music Tracker (https://dodoapps.io/music-tracker) but I'd feel much happier about it if the user was allowing me access to their library rather than it being automatic without their knowledge.

Configuration:
Any iOS device