No permission required to access full music library metadata

Number:rdar://24168798 Date Originated:13th January 2016
Status:Duplicate/23416384 Resolved:Yes
Product:iOS SDK Product Version:3.0+
Classification:Security Reproducible:Always
In recent years, iOS has made a concerted push to being privacy focussed. However, one area this is not the case is with the MediaPlayer framework and in particular the MPMediaQuery.songsQuery() method. With that one line of code, you can get the full metadata for every song in a user's library without them ever knowing. This information could be sent back to a server silently and then used for various nefarious purposes such as:

- Building up a profile of that user in order to produce targeted advertising
- Using the information as a reliable way of tracking someone across multiple apps (as it can act as a unique identifier)

In my opinion, access to the music library should be protected in much the same way as location, contacts, calendars, or photos are with a requirement from the developer to ask permission and for the user to be able to grant permission and subsequently revoke it via the standard iOS system preferences.

Steps to Reproduce:
1. Import the "MediaPlayer" framework
2. Run the code `MPMediaQuery.songsQuery()` and loop through the results

Expected Results:
The user should be asked for permission for you to access their music library

Actual Results:
All metadata can be pulled from the library without the user knowing

iOS 3.0 and above

I make use of this feature in my app Music Tracker ( but I'd feel much happier about it if the user was allowing me access to their library rather than it being automatic without their knowledge.

Any iOS device


Follow up from Apple

Thank you for reporting this. We appreciate your assistance in helping us to maintain and improve the security of our products.

We are aware of this issue. It is being investigated. Thank you for taking the time to pass it along to us.

For the protection of our customers, Apple does not publicly disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.

We usually distribute information about security updates here:

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!