Sunday, February 9, 2020

Tangi Quick Videos app for iOS: User restriction of camera roll access not respected

iOS 13.3.1
Tangi Quick Videos app for iOS (version - initial release)
Date: 02/09/2020

Description:

Here's a camera roll access bug with the new Tangi Quick Videos app from Google's Area 120.

The new Tangi app does not seem to respect the user declining camera roll access from the "Did you try it? Share it!" area of the app. After creating an account, the user can select an option to select "Try it!" from any video.

A slider UI rises from the bottom of the screen. There is a "+" which brings up a "Share Your Creation" prompt. Selecting the "Choose from Library" option automatically access the camera roll library. Selecting a photo THEN brings up a yes/no prompt. Selecting "Don't Allow" from the camera roll access prompt does nothing - the app now has full access to the camera roll.

Heading back to the settings area of the device shows "Never" for "Allow Photos Access" - yet the app has continual access to the camera roll from this point. This appears to go against the human interface guidelines for iOS.

I've seen this with other apps. I know that there is a specific exemption for accessing the camera roll for profile pictures, but I don't believe that this is supposed to happen in other areas of iOS apps. This looks to be a clear violation.

I've reported to these in private bug bounties. Only to be told that it isn't a security issue, and that Apple's "guidance" on this issue isn't clear. Only to see the issue rapidly fixed without explanation.

Steps to Reproduce:

1. Download and Launch Tangi for iOS
2. Sign in with a Google account
3. Go to any video in the app
4. Select the "Try it!" option from the right side of the screen on any video
5. From the slider, select the "+" option
6. From the "Share Your Creation" slider, choose "Choose from Library" (app has access to camera roll)
7. Select any video
8. From the "Tangi" would like to access your photos prompt select "Don't Allow"
9. Repeat steps 3 through 5 and then upload another video
10. Exit out of the app to the Settings area of the iOS device - note that app states "Never" for photos access

Result: Selecting "Don't Allow" to the camera roll access prompt does NOT restrict access to the camera roll with the Tangi app for iOS

Expected: If the user restricts camera roll access via an in app prompt, then the app should NOT have access to the camera roll

After creating an account. Select any video and choose the "Try it!" prompt from any video. A slider rises from the bottom of the screen. Choose the "+" option...

Select the "Choose from library" option. The camera roll option appears. Select any photo from the library...

Select the "Don't Allow" option from this prompt...

Upload the photo (at this point the app has full access to camera roll)....

Upload the photo...

The settings area for Tangi says that Photos access is restricted...

App claims to never have photo access. Yet, the app continues to have camera roll access after this point.

No comments:

Post a Comment