Microsoft PowerPoint requesting access to view contacts, while already displaying the contacts in the background - Image Credit Warenotice
Here at Warenotice, we recently discovered a new flaw in iOS's privacy features: third-party apps can access the device's contacts, even when explicitly denied permission.
After conducting multiple tests on devices running iOS 9.0.2 and the fourth public beta of iOS 9.1, we have reached the aforementioned conclusion.
This vulnerability can be seen in action in Microsoft Word for iOS. To see it, first open a word document that is saved in OneDrive. Then, tap the share button (in the top right corner of the screen). In the screen that appears, tap "Invite people." Then select the "+" icon and make sure that Word does not have permission to access your contacts.
Even when Word does not have permission to access your contacts, you will still be able to scroll through you entire contacts list and select a person (whose email you have in your contacts) to share the file with. This is extremely alarming since it means that any third-party application can access your contacts, even when you explicitly deny it permission to do so.
At this time it is not clear if the vulnerability exists in earlier versions of iOS, but it does occur in the latest version of iOS 9 (iOS 9.0.2) and the latest iOS 9.1 public beta (public beta four).
This catastrophic flaw also leads to much speculation of the soundness of Apple's privacy barrier. If third-party apps can access the device's contacts even when denied permission to do so, what other private information can they access? Can they access your location data after explicit denial? Can they modify and read your calendar after being told not to? This scary possibility remains an ominous mystery, but it could very well be happening as you read this.