Neiman Marcus app for iOS (version 9.6.3)
Date: 12/10/19
Description:
The Neiman Marcus app has an interesting bug regarding access to the camera roll on the iOS device.
I've seen similar bugs to this one with all kinds of iOS apps. I've previously submitted a similar bug to be private bug bounty, only to be told it wasn't a security issue. I laugh when it was fixed anyways.
I believe that in this instance, with how the Neiman Marcus app is handling this issue, is at the very least, a violation of the Human Interface Guidelines for IOS apps.
You can watch a brief video of this problem with the video attached to the Tweet.
This basic gist of this problem is this. When the user is presented with this prompt:
The "Don't Allow" setting is not respected. Selecting "Don't Allow" still gives access to the camera roll. I know that there are
I'll explain more about this below:
.@neimanmarcus .@AppleSupport One of the most perplexing questions regarding iOS apps...— Random iOS Bugs (@RandomiOSBugs) December 10, 2019
Shouldn’t specifically declining read access to cameras roll disable access?
I know that there ar exceptions, but I don’t believe this is one... pic.twitter.com/roFoRjsYUI
I know the video might be a bit difficult to follow, but i'll repeat... I believe that how the Neiman Marcus app handles this access to the camera roll is incorrect. Further more, even seeing that the app has clear access to the camera roll, if the user heads to settings, there is no confirmation of read access in settings.
Steps to Reproduce:
1. Download the Neiman Marcus app for iOS (version 9.6.3)
2. Launch the app
3. Select "Continue as Guest"
4. Select "Maybe Later" in regards to Push Notifications
5. Select the magnifying glass in the upper right
6. Click on the camera icon
7. From the "NM" Would Like to Access the Camera" message, select "Don't Allow"
8. From the "NM" Would Like to Access Your Photos" message, select "Don't Allow"
9. Dismiss the tutorial
10. Select the pictures icon in the bottom left hand corner of the screen
11. Note access to camera roll
12. Exit out of app to Settings, note that app settings claim no camera roll access
Result: The Neiman Marcus app still accesses the iOS camera roll even after the user selects "Don't Allow" for this permission
Expected: If the user selects "Don't Allow" to a photo access message, the app should not have access to the camera roll of the iOS device
No comments:
Post a Comment