1

Scenario: An iOS application that prompts the users to take a picture with their iPhone camera. These pictures (e.g. of documents) will then be uploaded to our server.

Is there a possible way for an attacker to bypass the dialogue and directly upload existing files - so instead of using the camera, an existing (manipulated) image will be selected from the camera roll or file system?

I'm thinking of manipulating iOS via Jailbreak etc. it should be possible somehow...

flug.beton
  • 11
  • 1
  • 1
    **Never trust the client!** Assume that the attacker can upload arbitrary data and design your application that way. –  Aug 27 '19 at 08:44
  • Either you completely bypass the phone, and communicate directly to your API from some other program and device. Or you use one of these: https://apps.apple.com/ie/app/fake-camera-free/id526976925 – Anders Aug 27 '19 at 09:03

0 Answers0