Apple might be sharing Face ID data with apps too freely

By JC Torres/Dec. 4, 2017 4:44 am EST

Most security researchers are stumbling to find a way to definitively prove, or disprove, the security and reliability of the iPhone X's Face ID feature. Almost all of those, however, require a second face to bypass your legit one. It turns out that users might have something to fear even without a doppelganger. It is no secret that Apple allows third-party apps to access some Face ID data, but how much and how easy they're getting that data could quickly become a privacy nightmare.

Face ID is inherently secure in the sense that nothing leaves your phone. Or at least shouldn't. Like the fingerprint-based Touch ID, everything is stored on the device and is encrypted so that no one, not even Apple or the government, can have access to it without the user's knowledge or consent. But in order to make use of features beyond unlocking the phone, like animojis, for example, Apple needed to give app developers access to some of that face data. Some security analysts think Apple may have jumped the gun on that one.

Third-party apps have access to a wireframe image of your face as well as a live readout of movements of eyes, mouths, etc. In theory, that's more than enough for apps to read your expressions, guess your gender and race, and other statistical information that may be of interest to developers or third-parties. The problem, according to researchers and developers, is that Apple isn't doing enough to limit the scope of what developers are allowed to do.

For example, app developers could store the data on their own servers and the only thing limiting them is Apple's requirement that they present users with a privacy policy when using that feature. Developers also have to abide by Apple's policies, but that hasn't always worked flawlessly.

Of course, Apple exercises very strict scrutiny of apps that go into its app store, but, even then, some still fall through the cracks. One app was easily able to make a printout of the user's 3D wireframe without providing any privacy policy until Apple was explicitly informed of the fact. Cupertino might have rushed too quickly to get developers on board in order to push Face ID as a legitimate feature.

SOURCE: The Washington Post