Well this is interesting. I plugged my phone into my computer to pull some photos off of it and I just happen to start browsing it via Windows Explorer since the device shows up there. Imagine my surprise when I saw things that were in my Hidden folder show up clear as day. It seems that lock is only at an application level and just browsing the file system it’s there to see.

Does anyone else experience something similar? Is there a note I missed that it’s still be available via other means?

  • Sean@infosec.pub
    link
    fedilink
    English
    arrow-up
    21
    ·
    5 months ago

    The device shows up there because you connected to your computer and trusted the connection on your iPhone (and you had to type in your passcode to confirm.) If someone doesn’t know your passcode they can’t do this. If they do know it, they could access your photos anyway.

    It’s probably worth filing a Feedback report to request Hidden photos don’t get served up over the standard file system access alongside the rest of your library. You can do so by typing applefeedback:// into Safari and hitting return. If you’re on a developer or public beta, you can simply use the Feedback app instead.

    • ramble81@lemm.eeOP
      link
      fedilink
      arrow-up
      9
      ·
      5 months ago

      That makes sense but the one difference I see is the hidden/deleted folders are Face ID locked and you need to be present to access them at the time. Just having the passcode can get you in to the phone but not to those folders, yet all you need is the passcode for file system access.

      I’ll report it via the method you suggested too.

      • PTKT@lemmy.world
        link
        fedilink
        arrow-up
        13
        ·
        5 months ago

        Not to discount this frustration, but you can absolutely access the hidden photos with just the passcode. Try it.

        • ramble81@lemm.eeOP
          link
          fedilink
          arrow-up
          6
          ·
          5 months ago

          Huh… TIL. You just have to fail it like 4-5 times and it switches to a passcode prompt.

          • PTKT@lemmy.world
            link
            fedilink
            arrow-up
            4
            ·
            5 months ago

            I wish there was a setting to only allow Face ID or your full AppleID password.

          • cantankerous_cashew@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            5 months ago

            As an added layer of security, you can set the phone to self-destruct by going to Settings > FaceID & Passcode > Erase Data. If someone enters the incorrect passcode more than 10 times, the phone will erase itself. Assuming a 6 digit passcode, there are 1 million possible combinations. An attacker would have an effective 1 in 100,000 chance (.001%) of guessing your passcode correctly