Apple needs to explain that bug that resurfaced deleted photos: Can we trust Apple’s PR?

Blurred background with a phone held up in the foreground by a hand. On the phone's screen is an open photo app, showing the view out of an office window high up in a building. The view shows numerous skyscrapers in the distance.

It’s understandable that people freaked out last week when photos deleted years ago had suddenly reappeared in their iPhone photo library.

While we wait to hear the reason, it does seem to appear that deleted photos are still not deleted after 30 days. Apple makes a lot of noise about trusting them (much like Google used to claim to not do any evil—and then they dropped that slogan), and whilst I don’t think they are deliberately malicious, the fact is no Big-Tech companies are truly private or secure. Many Microsoft cloud service users are still reeling after the US government report came out about how much of a security threat Microsoft is to the USD government.

Apple’s iPhone have also repeatedly been exploited over the years including Operation Triangulation in Dec 2022, MFA Bombing flood attacks, zero-day exploits that were exploited in the wild (CVE-2023-41064 and CVE-2023-41061), and of course the various phishing attacks (which have included spoofing Apple Support), and the infamous zero-click exploit in iMessage in 2023.

The more worrying one was one that I posted about on 6 Jan 2024 (CVE-2023-38606), where it appeared that Apple may have deliberately had a security backdoor embedded in the iPhone.

Apple also claimed that opening iMessages (or Apple Messages more correctly) to RCS would lower their privacy and security standards, whilst Apple Messages anyway supported zero-security SMS messaging.

The fact is, no-one can guarantee security or privacy. Apple’s PR gives users a false sense of security. As consumers, we too often just believe what a company advertises and accept that at face value. Maybe Google was being more honest by dropping their slogan about not doing any evil.

All smartphones are complex devices, and complexity is the enemy of security. No-one can claim their smartphones are fully secure, and the same goes for privacy. If anything is connected to the Internet and the data is online in a cloud service, it can never be guaranteed as 100% private. So be careful of whatever you store in a connected device or in a cloud service if you really want it to remain fully secure or private.

Responsible disclosure and transparency are the hallmarks of a company that truly believes in protecting your privacy. Brushing things under the rug? Not so much.

See https://www.theverge.com/2024/5/20/24161152/apple-ios-17-photo-bug