Why Does Strongbox Request Permissions to My Photo Library?

This comes up from time to time with some security/privacy conscious users and is something we had to investigate to figure out.

Long Story short:
Strongbox doesn't have access to your Photo Library but it can receive a read-only snapshot of a user selected photo entirely by iOS Design with no security implications.

Long Story long:
Apps (like Strongbox) cannot decide whether to request permissions to a users Photo Library. That is up to the system (iOS). In this case, when Strongbox asks iOS to ask the user to select a Photo from their library, iOS does not request permissions or ask the user (by design). We found this a little non-intuitive at first too but it is just the way the API we use works. The API we use is called UIImagePickerController (our source code here) and you can see Apple's documentation for that here. It turns out we're not the only developers to wonder why the system works like this, or this particular API in general. If you're technical, check out this StackOverflow question. The accepted answer there encapsulates neatly why iOS doesn't request user access:

The answer is simple: it's normal behavior since iOS 11, because the UIImagePickerController runs in a separate process and therefore for just read-only access you don't need any special permissions.

Basically, Strongbox doesn't get permission to view, enumerate or edit your Photo Library, but does get a read-only snapshot of an image selected by you the user... We still find this a little non-intuitive and appreciate the anxiety is can cause amongst privacy sensitive users. In this case, rest at ease. We are considering changing this code in a future release to use the PHPickerViewController, which we believe does request permissions. However we are torn between two competing alternatives:

  1. The current system does not have access to your library, but does not make that explicit and confuses security conscious users (who assume something strange or insecure is happening). It has the benefit of working really well, and not requiring any work on our part.
  2. The new API (if it does request permissions) will have access to your library (something we at Strongbox don't actually need or want!) but it will be more clear about things (we believe!). It also only works on iOS14+ and requires development work.

As you can see, it's a bit of a tricky one, but we thought we clarify what's going on, and explain our reasoning. Please let us know if you have any thoughts, questions or comments.

Nov 3, 2023