Whenever you give iPhone apps permission to access your camera, the app can surreptitiously take pictures and videos of you as long as the app is in the foreground, a security researcher warned on Wednesday.
Felix Krause, who recently warned of the danger of malicious iPhone password popups, wrote a blog post as a sort of PSA for iPhone users. To be clear, this is not a bug, but likely intended behavior.
What this means is that even if you don’t see the camera “open” in the form of an on-screen viewfinder, an app can still take photos and videos. It is unknown how many apps currently do this, but Krause created a test app as a proof-of-concept.
This behavior is what enables certain “spy” apps like Stealth Cam and Easy Calc – Camera Eye to exist. But even if this behavior is well-known among iOS developers and hardcore users, it’s worth remembering that all apps that have camera permission can technically take photos in this way.
“It’s something most people have no idea about, as they think the camera is only being used if they see the camera content or a LED is blinking,” Krause told Motherboard in a chat over Twitter direct message. Krause currently works at Google, but performed and published this research independently of his work there.
What’s worse is that, unlike on Mac computers—which show a solid green light when the camera is active—the iPhone has no mechanism to indicate to a user that the camera is on.
“You can get full access to both cameras without indicating that to the user,” Krause told me.
To test this functionality, Krause created a custom app called “watch.user” and shared it with me. I installed it on my iPhone and verified that, indeed, the app took pictures of me while I was simply scrolling through it, and it was even running a hidden facial recognition engine.