Apple's iOS has a flaw that can be exploited by any rogue app to photograph users or even live stream them using either the front or rear camera. A Google engineer has demonstrated that any app with permission to access things like photos, camera and location on iOS can secretly photograph or stream video as iOS users access the app.
Google engineer Felix Krause details that granting camera permission to apps on iOS allows them to access both the front and rear cameras. These apps can then be used to photograph and record users at any time with the app running in the foreground. He also created a demo app to demonstrate how apps with camera permission can upload the content immediately and even run real-time face detection to read the facial expression of users. Krause has also documented his demo app, recording videos and clicking pictures without ringing any alarm bells, on YouTube.
The issue sounds disturbing primarily considering the fact that all of this is happening without any notice or indication within the system. On iOS, Apple requires apps to ask permission to access individual features like camera or photo gallery. The issue presented by Krause seems to be part of the design and not a workaround created by individual apps.
Krause says iOS users have little control over this behaviour and don't have any option to prevent it. He does recommend protecting the camera with a cover or revoking camera access for all apps. In a blog post, Krause suggests Apple should make camera permissions temporary or add indicators to notify iOS users whenever the device starts recording. He believes that adding a Mac-style LED on the front of the phone, which lights up every time the device records would be a clever alternative.
Apple is yet to acknowledge the issue or offer a statement on when it plans to issue a fix. With Apple having shipped over 1 billion iPhones globally, this issue pointed by Krause could be leading serious collection of user data.