Another weird example is how Apple's own "Clips" app has a special private entitlement that bypasses the permission prompt for camera access.
Would it hurt them so much to prompt for camera access the first time the app is started after installing it from the app store?
I found that extremely worrying as it means I can no longer trust the app store to provide a safe sandboxed environment. Suddenly there's an app with this special no-cam-permission entitlement and your mugshot is uploaded when you believed the ios camera permission system would have protected you.
Oh, but Apple would only ever grant that permission to its own apps? Better hope we'll never get a repeat of the PsychicPaper exploit!
However I agree that it's strange not asking for camera permissions. The app itself can be used with no camera.
It's also strange because even apple's own watch app that tracks your hand washing habits keeps asking for permission to track your location. Every now and then you will be reminded that hand washing reminder app tracks your location.
I guarantee you the product manager for Clips probably just made a lot of noise about trying to reduce onboarding friction as much as possible, and their manager talked to someone else's manager and got that entitlement. I agree it's bad optics, but on the other hand I'm not sure there's a practical difference between the Camera app having this entitlement, and Clips having this entitlement. Both are made and distributed by Apple, regardless of the method of installation.
Why? Apple makes everything from the hardware up to the apps on the homescreen. Why do you trust the hardware, the kernel, and the OS, but not the "apps", when all are made by the same organization? They're the same as any other software on the device, they just have an icon associated with them.
The "Clips" app is not as first party as the built-in camera app is. I mean, it still comes from Apple, but it is ONLY distributed as an additional download in the app store. You know, via the same app store we're supposed to trust to sandbox us from malware.
That changes the game completely!
You're conditioned to trust and think iOS and its app store has a permission system, so you can go crazy and download and install any app you want, safe in the knowledge they won't access your camera without your permission.
And then suddenly there's this magic nondescript app "Clips" in the same app store... that just bypasses the entire thing.
Given that you can delete/download first party apps from the App Store now, including Camera, doesn't that imply that Apple can update first party apps remotely now? If so, Clips and Camera are treated the same, Camera just happens to come with the device and Clips doesn't.
The real answer is probably that Clips is onloaded onto demo units at retail stores, and they don't want the first user to deny permission and prevent everyone else from using the app.
> Given that you can delete/download first party apps from the App Store now, including Camera, doesn't that imply that Apple can update first party apps remotely now?
No, deleting a built-in app just deletes the icon. You can “re-install” a built-in app via the App Store even if you don’t have a network connection, because it never actually left your phone.
Seems kinda dumb to still tie them to OS updates tbh, especially for Safari. Every other browser is pushing updates a few times a month and Safari is what, a few times a year?
There’s been 11 versions of ios so far this year though, so it’s something. No sure why they do it this way, probably so they can make sure that everything plays together optimally. That would be harder if each system app updated separately.
You’d have the dreaded combinatorial explosion of compatibility.
Its not about the technical reason, it's about optics.
You pre-approve system apps location access during iOS first setup, but you do not for camera access.
Basically, all privacy toggles should be opt-in, not opt-out, even for system apps, even though Apple could easily bypass that for their own apps.
On Android I’ve seen even Google apps ask for camera permissions, I’m making a choice about whether I want this specific app to have access to my camera, whether it comes from Apple or any other developer doesn’t matter. I should be able to disable the camera access for any app including the built-in camera app.
I think what many of us want and expect is a bullet proof permission system for the app store that doesn't contain surprises, gotchas, and magic entitlements that are ripe for exploitation (see for example PsychicPaper)
Because the mere fact that an entitlement for bypassing permission prompts exists, means that non-apple apps could try to exploit it (see for example the PsychicPaper exploit).
Designing in such a huge hole in the permission system just makes it that much more difficult to trust it.
Would it hurt them so much to prompt for camera access the first time the app is started after installing it from the app store?
I found that extremely worrying as it means I can no longer trust the app store to provide a safe sandboxed environment. Suddenly there's an app with this special no-cam-permission entitlement and your mugshot is uploaded when you believed the ios camera permission system would have protected you.
Oh, but Apple would only ever grant that permission to its own apps? Better hope we'll never get a repeat of the PsychicPaper exploit!