Access to photo library exposes location data of complete library

Originator:KrauseFx
Number:rdar://34610699 Date Originated:September 23 2017
Status:Open Resolved:
Product:Photos Framework Product Version:iOS 11
Classification: Reproducible:Always
 
Area:
Photos Framework

Summary:
If an app gets permission to access the image library, it will get full access to all image metadata also, including the exact location.
This is a serious privacy issue, as third party camera apps that want to just store a picture the user took, will also get full access to all photos and their locations in their image library.

Steps to Reproduce:
1. Ask the user for permission to access photo library
2. If approved, get a list of all the past locations using
```objective-c
PHFetchResult *photos = [PHAsset fetchAssetsWithMediaType:PHAssetMediaTypeImage options:nil];
    
for (PHAsset *asset in photos) {
    if ([asset location]) {
        // Access the full location, speed, full picture, camera model, etc. here
    }
}
```
3. Use that data to get a great understanding of what the user does

Expected Results:
There should be a clear separation of 

- `Saving a photo` (e.g. a 3rd party camera app wants to save a photo you just took)
- `Selecting a photo` (e.g. you want to upload an existing picture to Instagram)
- `Granting full access to the photo library` (e.g. Dropbox or Google Photos to backup your complete library)

Additionally the native image picker should be enforced by Apple, and apps that use their custom one will be rejected. 

Actual Results:
There is only one kind of permission for photos: `Full access`, resulting in privacy issues for the user

Version/Build:
iOS 11

Configuration:
Check out the sample project attached, works with Xcode 9 on iOS 11

you can find the sample code, with screenshots on GitHub as well: https://github.com/KrauseFx/detect.location/

Comments

Separate photo libraries for different apps?

I'd like the ability to have app-specific photo libraries so that I can restrict apps to accessing only a subset of my photos.


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!