watch.user – Spy on iPhone users without permissions

Apple claims iOS 11 is the most secure mobile operating system on the planet. However, a new app shows why this is not the case.

Felix Krause exploits iOS security loophole

Google engineer, Felix Krause, has just released a new malicious application called watch.user.

watch.user is an open source proof-of-concept and its goal is to inform users about a privacy loophole in the manner iOS handles the camera.

Felix Krause

Every time you grant an application the necessary permission to access your camera, it can “spy” on you without your knowledge.

Here’s everything an app can do with these permissions –

  • Access the front and rear cameras of your iPhone.
  • Record your activity provided the app is still running.
  • Take videos or photos.
  • Detect facial expressions and recognize the user’s emotions or expressions.

How watch.user works

  • Grant watch.user the permission to access your camera.
  • Take a photo with the app that will get posted to a fake social network.
  • Browse the newsfeed.
  • The app will now display your photos taken without your permission.
  • The app will also record your facial features and analyze them using iOS 11’s inbuilt Vision framework.

Here’s a video demonstration of it works.

The app is not available on the official App Store but on Krause’s GitHub repository. You can clone the repo and run it on your device easily.

Why is this dangerous?

While this is not a hack per se, this loophole is incredibly powerful and can be deadly if used by a skilled hacker.

Its power lies in the fact that the hacker doesn’t actually need to “hack” anything, everything is already present in the operating system.

hacker

Security agencies can use this proof-of-concept to create a legitimate social networking or messaging application and then use it for mass surveillance.

I guess it’s safe to assume that NSA and CIA are actually doing something like this. And if they aren’t, they are about to.

How can I protect myself?

1. Use a Privacy Camera Cover

According to Felix Krause, the best way to protect yourself is to use a “privacy” camera cover. This is also the only way to ensure 100% protection and is used by Mark Zuckerberg as well.

Here’s a great camera cover that you can purchase from Amazon.

iphone privacy camera cover

BUY ON AMAZON

2. Revoke Camera access

You can also revoke camera access for existing applications. To do this, go to Settings > Privacy > Camera and toggle off the access for desired apps.

revoke camera access

This will ensure a particular app will no longer be able to access your camera.

For more security news and updates, follow us on Twitter and Facebook.

2 Comments

  1. Yaniv October 28, 2017
    • Luca October 29, 2017

Leave a Reply