this post was submitted on 14 Jul 2024
46 points (91.1% liked)

Apple

17435 readers
109 users here now

Welcome

to the largest Apple community on Lemmy. This is the place where we talk about everything Apple, from iOS to the exciting upcoming Apple Vision Pro. Feel free to join the discussion!

Rules:
  1. No NSFW Content
  2. No Hate Speech or Personal Attacks
  3. No Ads / Spamming
    Self promotion is only allowed in the pinned monthly thread

Lemmy Code of Conduct

Communities of Interest:

Apple Hardware
Apple TV
Apple Watch
iPad
iPhone
Mac
Vintage Apple

Apple Software
iOS
iPadOS
macOS
tvOS
watchOS
Shortcuts
Xcode

Community banner courtesy of u/Antsomnia.

founded 1 year ago
MODERATORS
 

Well this is interesting. I plugged my phone into my computer to pull some photos off of it and I just happen to start browsing it via Windows Explorer since the device shows up there. Imagine my surprise when I saw things that were in my Hidden folder show up clear as day. It seems that lock is only at an application level and just browsing the file system it’s there to see.

Does anyone else experience something similar? Is there a note I missed that it’s still be available via other means?

all 16 comments
sorted by: hot top controversial new old
[–] abrahambelch@programming.dev 25 points 3 months ago* (last edited 3 months ago) (2 children)

I reverse engineered the Apple Photos library file on my Mac as a side project and can confirm that hidden assets are not actually encrypted or otherwise protected. The respective assets are just not shown in the apps and can be accessed via Finder on macOS.

I didn't know they were visible when you connect your phone to your PC but I guess it makes sense.

[–] mbirth@lemmy.mbirth.uk 6 points 3 months ago (1 children)

No need for reverse engineering - it has already been done: https://github.com/RhetTbull/osxphotos

[–] abrahambelch@programming.dev 4 points 3 months ago

Thanks for sharing, actually this very project inspired me to do it myself. It is an incredible resource when it comes to certain aspects of the database format!

Imho it has some deeper architectural issues though which I wanted to avoid in my implementation. I'm also using an entirely different tech stack I wanted to train myself in.

My implementation is not as feature complete as osxphotos but I'm sure I will be able to contribute back to the project with the occasional bug fix.

[–] SendMePhotos@lemmy.world -5 points 3 months ago (1 children)

Heeey.... Reverse engineering the software is a clear violation of TOS/EULA

[–] sdc@infosec.pub 21 points 3 months ago (1 children)

The device shows up there because you connected to your computer and trusted the connection on your iPhone (and you had to type in your passcode to confirm.) If someone doesn't know your passcode they can't do this. If they do know it, they could access your photos anyway.

It's probably worth filing a Feedback report to request Hidden photos don't get served up over the standard file system access alongside the rest of your library. You can do so by typing applefeedback:// into Safari and hitting return. If you're on a developer or public beta, you can simply use the Feedback app instead.

[–] ramble81@lemm.ee 9 points 3 months ago (1 children)

That makes sense but the one difference I see is the hidden/deleted folders are Face ID locked and you need to be present to access them at the time. Just having the passcode can get you in to the phone but not to those folders, yet all you need is the passcode for file system access.

I’ll report it via the method you suggested too.

[–] PTKT@lemmy.world 13 points 3 months ago (1 children)

Not to discount this frustration, but you can absolutely access the hidden photos with just the passcode. Try it.

[–] ramble81@lemm.ee 6 points 3 months ago (2 children)

Huh… TIL. You just have to fail it like 4-5 times and it switches to a passcode prompt.

[–] PTKT@lemmy.world 4 points 3 months ago

I wish there was a setting to only allow Face ID or your full AppleID password.

[–] cantankerous_cashew@lemmy.world 1 points 3 months ago

As an added layer of security, you can set the phone to self-destruct by going to Settings > FaceID & Passcode > Erase Data. If someone enters the incorrect passcode more than 10 times, the phone will erase itself. Assuming a 6 digit passcode, there are 1 million possible combinations. An attacker would have an effective 1 in 100,000 chance (.001%) of guessing your passcode correctly

[–] Nogami@lemmy.world 16 points 3 months ago (2 children)

Hidden is not encrypted and when you trust the computer you’re connecting to you have access to the phone’s file system.

Not a bug, a design choice to allow accessing your device photos on an attached computer.

[–] ramble81@lemm.ee 5 points 3 months ago (1 children)

I know hidden is not encrypted, but the level things can be hidden can vary too. You can have parts of the filesystem that are not shown to the USB driver without additional authentication pretty easily.

[–] Anticorp@lemmy.world 1 points 3 months ago

Right. I used to have a program on my computer that completely removed files from the index. There was no reference to their location or existence except for within that program. Even safe mode wouldn't reveal them. That's the right way to go about it.

[–] cantankerous_cashew@lemmy.world 3 points 3 months ago* (last edited 3 months ago)

Personally I like the way that this is implemented; makes it easy to download hidden media files onto my Mac. Anyways, if you’re worried about nudes/pr0n being seen by unauthorized parties, I wouldn’t recommend stashing them in your photos library anyways. There are vault-type apps in the App Store that masquerade as note/calculator apps (Calculator# comes to mind) which are more suited to addressing OP’s use case.