To explain the loophole (see video below), the developer Felix Krause created the watch.user concept app that requested access to his camera initially. Once Krause granted permission, the apps were able to access the front and back cameras and record videos and take photos every second as long as the app was open in the foreground.
According to Krause, once the user has taken and posted one picture or video via a social network app, the user ends up granting full access to the camera. This means that the rogue app can access the front and back camera any time when it is running. It would also be able to immediately upload the photos and/or videos it has taken. The iPhone does not notify that the camera is being used or that the photos are being uploaded to the internet. “iOS users often grant camera access to an app soon after they download it (e.g., to add an avatar or send a photo),” Krause explained on his blog. “These apps, like a messaging app or any news-feed-based app, can easily track the users face, take pictures, or live stream the front and back camera, without the user’s consent.” Granting permission to access your camera in Apple’s latest operating system, iOS11 means that malicious apps could use the software’s facial recognition system to secretly detect the emotions of users. While Krause isn’t claiming that particular iOS apps are abusing their access to your camera, he is simply highlighting the way Apple has set up its permission system and how apps could spy and collect more information than required. In order to protect yourself from any hack, Krause offered a few solutions. “The only real safe way to protect yourself is using camera covers: There is many different covers available, find one that looks nice for you, or use a sticky note (for example),” he wrote. “You can revoke camera access for all apps, always use the built-in camera app, and use the image picker of each app to select the photo.” Krause has contacted Apple regarding the privacy issue on iOS. He suggested that Apple could find a way to bring in a system of temporary permissions to stop any malicious apps interfering with users cameras, or show an icon on the status bar indicating that the cameras are active, or introduce an LED light near the front and back camera that would blink every time the camera is in use thereby alerting the users that they are being recorded. This would in turn help the users take the necessary steps to protect their privacy.