UPDATE: Thanks to my raising this privacy concern, Apple have resolved this issue as of iOS 10. I’ve left the old post below for posterity.
Over the years Apple has put a lot of effort into making iOS secure and privacy focussed. You are prompted with dialogue boxes whenever an app tries to access your contacts, calendars, photos, or location and you need to confirm that you want to receive notifications. However, whilst developing Music Tracker1 I discovered that there is no privacy prompt when a developer tries to access your library. In fact, they can access all of your music data as simply as this:
That’s just a basic example that’ll output the title of every song in your library but there is a lot of danger in that. This process happens completely silently and in my tests I was able to loop through a library of 10000 songs, put all the metadata in a JSON file2, and upload it to a server in under 2 seconds!
But why is this a security or privacy risk? Off the top of my head, I can think of two massive risks:
Your library says a lot about you3. If an advertising company was able to get a complete list of your music library (along with changes to it over time) then they could very easily target you with specific ads. Added a lot of Taylor Swift recently? Here are some ads relevant to that.
When iOS first came out there was something called a UDID which basically identified your device uniquely. This was used by marketers to track you across multiple apps and build up a profile. This was stopped by Apple a few years back and replaced with an advertising identifier which you can turn off and which can only be used between apps from the same company (where they are probably already tracking you). However, with a full music library, it would be fairly easy to track someone across multiple apps as periodic snapshots could be compared on a server.
I’ve no idea if apps are already doing this in the background silently but it is something that shouldn’t be able to happen. To that end, I’ve filed a bug report with Apple (rdar://24168798) to ask that they implement the same privacy controls that they do for contacts, calendars, photos, and location; a prompt when an app tries to access this data and the ability to grant or reject that permission through the system wide settings. Hopefully this is something Apple will implement in iOS 10 – if you’d like to see this happen, please duplicate bug 24168798 in the Apple Bug Reporter as that is the best way to bring it to their attention.
Update, 20th Jan 2016: A few people have pointed out that the first beta of iOS 9.3 does have a new privacy setting for “Media Library”. However, this does not stop the above line of code and read-only access to your library; instead, it is part of a new feature that allows for apps to add songs to your iCloud Music Library but requires your permission to do so. Apps that use the MPMediaQuery above won’t even appear in the Media Library permissions page to disable so this is not the solution some think it is.
Update, 23rd Feb 2016: Several articles are now linking to this and picking up on my comments about iOS 9.3 above and horribly misunderstanding what those new APIs do. I’ve published a new article detailing exactly what the new APIs in iOS 9.3 add to the music library (and what they don’t add). As of iOS 9.3 beta 4, there are no privacy controls on scanning your music library and it still works exactly as I’ve described above.
Update, 25th March 2016: With the public release of iOS 9.3, this issue is not resolved as per my post last month.
Update, 13th June 2016: Thanks to my raising awareness of this issue, iOS 10 (released in beta for developers today) has added full privacy controls for read access to the local media library. I’ll write up a post in the future about how the new APIs work (done).