Weee! - Asian Grocery app for iOS: User restriction of camera roll access not respected

 iOS 13.7

Weee! - Asian Grocery app for iOS (version 10.6.1)

Date: 09/16/20

Description:

A somewhat common bug regarding access to the iOS camera roll occurs with the Weee! - Asian Grocery app for iOS.

Here are a couple of screenshots which explain the problem.

The prompt that asks permission to access the camera roll photos appears after the app has already accessed the camera roll. Declining access by selecting "Don't Allow" does nothing....

This error message appears which claims that Wheee! cannot access photos - even though the app has full access.

This has happened with a number of other apps, including Tangi, Neiman Marcus and TopShopUS. Some apps have fixed this, while others have not. 

Steps to Reproduce:

1. Download and launch the Weee! app 

2. Create a new account 

3. Select the "Account" icon in the bottom right 

4. Select the pencil icon 

5. Select the "Picture" option on the "Account Profile" page

6. From the "Change Picture" screen select "Choose"

7. Select the "Photo Library" option 

8. Note that the photo library menu and the user permission prompt appear at the same time

9. Select the "Don't Allow" option from the prompt

10. Note the dialog that says the app doesn't have access

11. Exit out and select "Photo Library" again 

12. App has access to the Camera Roll

Result: The Weee! - Asian Grocery a pp doesn't recognize the user selecting "Don't Allow" from the camera roll permission prompt 

Expected: The Weee! - Asian Grocery app should respect a user who selects "Don't Allow" from a camera roll permission prompt 

Download the app...

Create an account and then select the pencil thing...

Select the "Picture" option...

Select the "Choose" option...

Select the "Photo Library" option...

Select the "Don't Allow" option...

Even though the user has specifically disallowed access, and even though the app presents a message about a lack of access, the app does, in fact, have full access. 

Overstock app for iOS: Camera Roll access prompt appears after selecting the share option from any product

iOS 13.4
Overstock app for iOS (version 2020.3.2)
Date: 04/07/20

Description:

Here's an odd one. This is the first time I have ever seen this with an iOS app.

With the current version (2020.3.2) of the Overstock app, a camera roll permission dialog message appears when the user selects the share sheet option from any product.

This message appears after selecting the share option for a product. Why? There doesn't seem to be any reason for asking for this message after selecting the share option, as it has nothing to do with accessing the share sheet....

I don't think that this message should be appearing at this point.

Steps to Reproduce:

1. Download the Overstock for iOS for the first time
2. Select any product listed in the app
3. Select the share option from any product

Result: Camera roll access prompt appears after selecting the share option from any product listed in the Overstock app for iOS

Expected: This prompt shouldn't be appearing at this point

Download the app for the first time. Select any product. Select the share option....

Why is this being prompted now?

Topshop US app for iOS: User restriction of camera roll access not respected

iOS 13.3.1
Topshop US app for iOS (version 5.7.16)
Date: 02/24/2020

Description:

There's a camera roll access bug with the current (5.7.16) version of the Topshop app which is available for download from the app store. This app is similar to a bug with the Tangi app, which was immediately fixed after being reported.

The Topshop US app does not respect the user declining camera roll access. The app displays the following required message:

Selecting "Don't Allow" means nothing - the app still is granted camera roll access, even though the Settings area of the device shows that NEVER is the setting.

The app should respect the clear direction of the user to NOT allow camera roll access. As was stated by a developer response from the Tangi app, the app (or a third-party library used by the app) is doing something wrong.

Note: The word "null" also inexplicably appears in the app!

Steps to Reproduce:

1. Download the Topshop US app for iOS
2. Dismiss the notifications pop-up - Select "SKIP"
3. Select "Scan" from the bottom menu
4. Select "Don't Allow" from the camera prompt
5. Select "Don't Allow" from "Access Your Photos" prompt

Result: The Topshop US app for iOS has full camera roll access, even after the user selects the "Don't Allow" option from an "Access Your Photos" prompt

Expected: The Topshop US app for iOS should NOT have full camera roll access, after the user specifically selects "Don't Allow" from an "Access Your Photos" prompt

Please see the attached screenshots:

Download the app, and then select the "SCAN" option from the bottom menu...

From the camera access prompt, select the "Don't Allow" option...

From the "Access Your Photos" prompt, select "Don't Allow"...

Select the "[null]" option...

App has access to the camera roll...

Head to the Settings area of the iOS device. Look at the settings for "Topshop"...

The "Photos" area says that the app "NEVER" has access to photos on the device...

The device says that the app "Never" has photo access - which is not accurate.

Tangi Quick Videos app for iOS: User restriction of camera roll access not respected

iOS 13.3.1
Tangi Quick Videos app for iOS (version - initial release)
Date: 02/09/2020

Description:

Here's a camera roll access bug with the new Tangi Quick Videos app from Google's Area 120.

The new Tangi app does not seem to respect the user declining camera roll access from the "Did you try it? Share it!" area of the app. After creating an account, the user can select an option to select "Try it!" from any video.

A slider UI rises from the bottom of the screen. There is a "+" which brings up a "Share Your Creation" prompt. Selecting the "Choose from Library" option automatically access the camera roll library. Selecting a photo THEN brings up a yes/no prompt. Selecting "Don't Allow" from the camera roll access prompt does nothing - the app now has full access to the camera roll.

Heading back to the settings area of the device shows "Never" for "Allow Photos Access" - yet the app has continual access to the camera roll from this point. This appears to go against the human interface guidelines for iOS.

I've seen this with other apps. I know that there is a specific exemption for accessing the camera roll for profile pictures, but I don't believe that this is supposed to happen in other areas of iOS apps. This looks to be a clear violation.

I've reported to these in private bug bounties. Only to be told that it isn't a security issue, and that Apple's "guidance" on this issue isn't clear. Only to see the issue rapidly fixed without explanation.

Steps to Reproduce:

1. Download and Launch Tangi for iOS
2. Sign in with a Google account
3. Go to any video in the app
4. Select the "Try it!" option from the right side of the screen on any video
5. From the slider, select the "+" option
6. From the "Share Your Creation" slider, choose "Choose from Library" (app has access to camera roll)
7. Select any video
8. From the "Tangi" would like to access your photos prompt select "Don't Allow"
9. Repeat steps 3 through 5 and then upload another video
10. Exit out of the app to the Settings area of the iOS device - note that app states "Never" for photos access

Result: Selecting "Don't Allow" to the camera roll access prompt does NOT restrict access to the camera roll with the Tangi app for iOS

Expected: If the user restricts camera roll access via an in app prompt, then the app should NOT have access to the camera roll

After creating an account. Select any video and choose the "Try it!" prompt from any video. A slider rises from the bottom of the screen. Choose the "+" option...

Select the "Choose from library" option. The camera roll option appears. Select any photo from the library...

Select the "Don't Allow" option from this prompt...

Upload the photo (at this point the app has full access to camera roll)....

Upload the photo...

The settings area for Tangi says that Photos access is restricted...

App claims to never have photo access. Yet, the app continues to have camera roll access after this point.

Neiman Marcus app for iOS: Declining Access to Camera Roll not respected

iOS 13.2.3
Neiman Marcus app for iOS (version 9.6.3)
Date: 12/10/19

Description:

The Neiman Marcus app has an interesting bug regarding access to the camera roll on the iOS device.

I've seen similar bugs to this one with all kinds of iOS apps. I've previously submitted a similar bug to be private bug bounty, only to be told it wasn't a security issue. I laugh when it was fixed anyways.

I believe that in this instance, with how the Neiman Marcus app is handling this issue, is  at the very least, a violation of the Human Interface Guidelines for IOS apps.

You can watch a brief video of this problem with the video attached to the Tweet.

This basic gist of this problem is this. When the user is presented with this prompt:

The "Don't Allow" setting is not respected. Selecting "Don't Allow" still gives access to the camera roll. I know that there are

I'll explain more about this below:

.@neimanmarcus .@AppleSupport One of the most perplexing questions regarding iOS apps...

Shouldn’t specifically declining read access to cameras roll disable access?

I know that there ar exceptions, but I don’t believe this is one... pic.twitter.com/roFoRjsYUI

— Random iOS Bugs (@RandomiOSBugs) December 10, 2019

I know the video might be a bit difficult to follow, but i'll repeat... I believe that how the Neiman Marcus app handles this access to the camera roll is incorrect. Further more, even seeing that the app has clear access to the camera roll, if the user heads to settings, there is no confirmation of read access in settings.

Steps to Reproduce:

1. Download the Neiman Marcus app for iOS (version 9.6.3)
2. Launch the app
3. Select "Continue as Guest"
4. Select "Maybe Later" in regards to Push Notifications
5. Select the magnifying glass in the upper right
6. Click on the camera icon
7. From the "NM" Would Like to Access the Camera" message, select "Don't Allow"
8. From the "NM" Would Like to Access Your Photos" message, select "Don't Allow"
9. Dismiss the tutorial
10. Select the pictures icon in the bottom left hand corner of the screen
11. Note access to camera roll
12. Exit out of  app to Settings, note that app settings claim no camera roll access

Result: The Neiman Marcus app still accesses the iOS camera roll even after the user selects "Don't Allow" for this permission

Expected: If the user selects "Don't Allow" to a photo access message, the app should not have access to the camera roll of the iOS device

Select the magnifying glass...

Select the camera icon...

Select "Don't Allow"...

Select the camera roll icon...

Access to camera roll, even after declining access.

TheFork - Restaurant Bookings app for iOS: Cancelling out of Facebook Messenger sharing results in a "Sharing Sent" message

TheFork - Restaurant Bookings app for iOS (version 13.4.1)
Date: 08/16/2019

Description:

This is easier to show than it is to describe, so please see the attached screenshots.

The small bug I am about to describe that occurs with cancelling out of Facebook Messenger sharing with TheFork app is a common one. You can read more about this problem here.

If the user cancels out of the Facebook Messenger sharing dialog, there will still be a message that says:

There shouldn't be a message that something (in this case a restaurant detail page) was sent, when the user actually cancelled out of sharing a message.

I know that this is a somewhat common problem with iOS apps. I've encountered it with One:Night, Postmates, and some other apps.

Steps to Reproduce:

1. Download and launch the TheFork - Restaurant Bookings app (version 13.4.1)
2. Select any restaurant listed in the app
3. Select the share option in the upper right hand corner of the screen
4. Select the Facebook Messenger option
5. Cancel out of the Facebook Messenger screen (do not share)

Result: A "Sharing Sent" message appears for users who cancel out of sharing a restaurant listing via Facebook Messenger

Expected: There should not be a "Sharing Sent" message if the user cancels out of sharing a restaurant using Facebook Messenger

Please take a look at the following screenshots:

Open the TheFork - Restaurant Bookings app...

Select a restaurant detail page...

Select the share option...

Select the Facebook Messenger option...

Select the "Cancel" option...

A "Sharing sent" message appears - even though nothing was shared.

La Redoute app for iOS - app crashes when camera roll access is declined

La Redoute app for iOS (version 8.14.1)
Date: 4/20/2019

Description:

The LaRedoute app for iOS crashes when the user declines camera roll access to the app. This reproduces on both iPhone and iPad Mini.

Here's a video of the crash:

.@LaRedouteEtVous .@LaRedouteUK There is a bug with the La Redoute app. The La Redoute iOS app always crashes the first time that the user denies access to photos. Here is clip of the crash. I will also post the crash dump. #iOSappbug pic.twitter.com/2TmEz4PwJY

— iPad Mini Bugs (@iPad_App_Bugs) April 18, 2019

Steps to Reproduce:

1. Download the launch the LaRedoute app for iOS
2. Select "Ok"
3. Skip the "Are you in?" message
4. Dissmiss the "Bienvenue sur La Redoute" pop up
5. Click inside the search box
6. Select the camera option in the upper right
7. Select "Your Photos"
8. Select "Don't Allow" from the "Access Your Photos" prompt

Result: the app crashes if the user declines camera roll access

Expected: the app should not crash if the user declines camera roll access

Flora - Build Better Habits App. Automatically has read access to camera roll

Flora - Build Better Habits app for iOS (version 1.02)
Date: 12/17/18

Description:

The Flora - Build Better Habits app for iOS appears to have full access to the camera roll without asking for permission. I don't believe this is allowed, and that a dialog message requesting access is required. I know that there is an exemption for profile photos, but the Flora app accesses the complete camera roll without any message from other areas of the app.

It specifically accesses them from the "Connect" screen, after the user clicks inside of the "What do you want to say?" input box, and then clicks on the camera icon. After doing this, the app appears to have full access to the camera roll, without having displayed a permissions prompt.

This is easier to show than it is to describe, so please see the attached screenshots.

Steps to Reproduce:

1. Download and launch the Flora - Build Better Habits app for iOS
2. Create a brand new account
3. Select the message dialog image on the bottom of the screen
4. From the "connect" screen, click inside the "What do you want to say?" input box
5. From the keyboard, select the camera icon

Result: The Flora - Build Better Habits app for iOS appears to have access to camera roll by default. There is no permission message when the app first accesses the camera roll

Expected: That the Flora - Build Better Habits app for iOS will display a permission message before accessing the camera roll

Create a new account...

Click on the messages icon...

Click inside of "What do you want to say?"

Click on the camera icon...

Access to the camera roll is granted (where was the permissions message?)

If the app has read access, why isn't it listed here?