A Window into Your Photos: Revealing How Sideloaded Apps Can Secretly Monitor Your Images

In the ever-evolving realm of cybersecurity, staying ahead of malicious threats is essential. At Jamf, we are committed to proactively identifying and mitigating risks to iOS devices. Learn how in our latest post.

October 3 2024 by

Jamf Threat Labs

Research led by: Hu ke, Nir Avraham

Jamf Threat Labs creates live demonstrations to educate iPhone users worldwide about the capabilities of potential attackers. In this blog, we created a demo that illustrates how a modified yet perfectly functional Facebook app can continuously monitor your photos and upload them to an attacker’s server. Apps like this can be sideloaded onto your phone.

The demo shown is intended solely for educational purposes. It is designed to illustrate potential threats and is not intended to encourage or facilitate any illegal or unethical activities. Jamf does not condone or endorse any unauthorized access, exploitation, or manipulation of social media or other online platforms or services. Users of such platforms should always follow applicable laws, terms of service, and ethical guidelines when using them and conducting cybersecurity research or demonstrations.

This video shows a sideloaded social media app secretly obtaining and uploading the device owner’s photo to an attacker’s server. The target device is not jailbroken and is running the latest iOS 17.

When we say “sideloaded” in this case, we’re talking about apps that did not fully undergo the App Store’s review process. These apps can be installed through third-party stores or services like AltStore, and they go through much less scrutiny, meaning their code isn’t audited as thoroughly. Strictly speaking, this risk isn’t limited to just sideloaded apps - it can affect any app on your phone. Some techniques used in exploitation can disguise the true intentions of the code, allowing it to slip past the App Store’s review, as explained in this blog.

Don’t assume an app is trustworthy just because it looks legitimate. With the increasing acceptance of sideloading apps, where software is installed outside the App Store, apps that haven’t gone through the typical App Store review process present real risks. While Apple has a notarization process for apps distributed outside the App Store, sideloaded apps can bypass some of these protections if users trust the signing certificate, which could come from an individual developer or enterprise. Attackers can modify the behavior of apps before installation, without the need to jailbreak the device. This means a seemingly familiar app, like Outlook or WhatsApp, could be altered to steal personal information if sideloaded improperly. For instance, a fake social media app could be modified to function maliciously and then sideloaded onto your device. Such apps may appear legitimate but could be programmed to spy on your photos, send them to a remote server, or worse. To protect your personal data, ensure that apps you download come from trusted sources and avoid sideloading software unless necessary.

Exploiting user trust

If an app requests access to your photos, many users often select the option to allow access to all photos for convenience. However, this practice is becoming increasingly risky with the advancement and widespread use of AI photo recognition technology. Attackers can leverage AI to automatically extract sensitive and valuable information from your photos. To protect your privacy, we strongly recommend that users grant apps access only to the specific photos they intend to share, rather than their entire photo library. This small step can significantly reduce the risk of unauthorized data extraction and enhance your overall security.

Technical Foundations:

The method we showcased does not exploit any vulnerabilities, so it doesn’t require jailbreaking and can be easily implemented on a wide range of iOS devices and versions. When you grant an app full access to your photos, the app can access all your photos anytime it is active in the foreground. After you give this permission, the app can browse through photos without any UI notification or additional prompts, it can potentially misuse this access without your knowledge. This can lead to unauthorized viewing, copying, or uploading of your photos.

Risk mitigation

To combat the threat of unauthorized access to your photos, enable the App Privacy Report on your device. Here’s how you can do it:

1. Go to Settings.

2. Tap on Privacy & Security.

3. Scroll down and tap on App Privacy Report.

4. Tap Turn on App Privacy Report.

This feature will log all instances where apps access your photos through legitimate API calls. Regularly review this report and watch for any unusual access patterns that could indicate misuse. Additionally, it is wise not to store sensitive information in your photo album to minimize the impact of any potential breaches. To address the risks associated with sideloading, it’s important to understand that someone with physical access to your device could replace a legitimate app with a compromised one using various sideloading techniques.

If your phone is left unattended or doesn’t have a passcode, an attacker could easily install a modified app using a cable. Even if there is a passcode, the attacker could have observed it beforehand or learned it through shoulder surfing.

Once the attacker has access, they can sideload a compromised app. The victim might not notice anything unusual at first, except when prompted to re-enter credentials.

The victim may not realize that the app’s interface has been altered to include malicious features, such as a keylogger or a tool to steal photos. The attacker would have taken the original IPA file, modified it with malicious code, and sideloaded it onto the device. This method is often facilitated by sideloading platforms which bypass Apple’s notarization process. These platforms distribute pirated or modified apps without requiring the device to be jailbroken. Our article highlights how such techniques can be abused, especially for those unaware of the risks. For instance, our demo device was not jailbroken, demonstrating that these attacks can happen even on non-jailbroken phones.

Conclusion

In conclusion, safeguarding your data in the digital age requires vigilance and proactive measures. Our demonstration underscores the ease with which seemingly legitimate apps can misuse granted permissions, highlighting the critical need for caution when granting access to sensitive data like your photo library.

To enhance your security:

  • Enable App Privacy Report: Regularly review it for unusual access to your photos.
  • Be Selective with Permissions: Only grant apps access to the specific photos they need.
  • Avoid Storing Sensitive Information: Refrain from keeping sensitive photos in your album to minimize potential risks.
  • Use Trusted Sources: Only download apps from the official App Store or other verified sources.

By taking these steps, you can significantly reduce the risk of unauthorized access and protect your personal information from potential attackers. Always stay informed and cautious, as the landscape of cybersecurity is constantly evolving.

Remember, your vigilance is your first line of defense against digital threats. Stay safe and protect your privacy.