Some users have noticed settings that let Meta analyze and retain phone photos

I don’t understand why apps need access to my photos at all. (with some very specific exceptions,) apps should only access a photo, which I first select using the system photo picker. There’s no need for apps to access the entire camera roll just so I can select one photo to use with that app.

I know that that’s partially implemented with the limited photo access now, but it’s confusing from a UI perspective and I don’t understand why this isn’t the default.

The only apps that need full access to my camera roll, are apps like Google Photos, Nextcloud or Immich. Everyone else can suck a lemon.

> I don’t understand why apps need access to my photos at all. [...] There’s no need for apps to access the entire camera roll

So apps like Google Photos or other alternatives to the Apple made Photos app just shouldn't exist at all, if I understand you correctly?

iOS already has exactly the experience you describe and it clearly urges you toward sharing only specific photos.

The only feature request I have is to be able to scope app permissions to an album, since the current flow of selecting individual photos adds a lot of friction.

Did the parent edit their comment? Because your response seems to directly ignore multiple things they said.

Unfortunately, no. It allows you to select which photos an app has access to, and I doubt anybody uses it more than once because of how many taps it takes to include a new photo. Unless I'm missing something.

Right now the comment says the same as when I wrote my comment:

> I don’t understand why apps need access to my photos at all [...] There’s no need for apps to access the entire camera roll [...] The only apps that need full access to my camera roll, are apps like Google Photos, Nextcloud or Immich

Which still make me ask the question: They think no apps should access all photos, there is never any need for that, and these app currently do that and they need that, so are they saying those apps shouldn't exist at all?

That’s exactly what OP asked for. To select which photos an app has access to using the system picker so they can’t see the whole camera roll.

Well, no. It keeps giving permission to the app, and it’s a lot of clicks to manage.

It shouldn’t give access at all, but use a secure clipboard implementation so that only that app can read it out exactly once.

You're right, I think a better UX would have been to let me select which photos I want to use like a normal camera roll picker and to just automatically make that photo available to the app requesting it rather than me having to first go and approve which photos to make selectable and then going to select it after.

Even android has it!

They literally say

“The only apps that need full access to my camera roll, are apps like Google Photos”

Obviously they don’t think the apps shouldn’t exist.

Whether you share it once or in perpetuity is of no practical consequence. They already have the photo at that point.

I agree about the clicks—the UX should be one-shot select and share with the permissions handled implicitly.

Third party photo app developer here. You're right, it's crazy that it's basically all or nothing.

Apple actually has a great API for selecting a single photo in a privacy-respecting way which does not give the developer access to the library at all. [0] But oddly, there is no corresponding API for safely saving or updating a photo in the library. So if your app involves editing a photo, you can't use this API.

The only option you're left with is to request photo library access with that scary dialog.

If the user selects the limited access option, it's not just confusing—it's a prohibitively bad user experience. If the user snaps a new photo and wants to edit it in my app, they have to tap a "Select more photos" button in my app, find the photo in the picker, close the picker, and then select the photo again in my UI.

Personally, I evaluate full access on a developer-by-developer basis. Indie app developers are highly unlikely to nefariously scan your entire photo library, as they lack any incentive or motivation to do so. So I give apps like Darkroom or Halide full access.

Meta, on the other hand, has every incentive to scan my whole library, and I assume they would. So even though it makes posting to Instagram much more painful, I selected limited photo library access for Instagram.

Apple really needs to introduce a safe way for developers to access just the photos/videos users select, and then update those assets.

[0]: https://developer.apple.com/documentation/photosui/photospic...

No. I want to select photos the app has access to now. I don’t want to readjust my selection every time I want to upload a new photo. What I want is an upload button like in the browser.

I click “add photo”, the system dialog opens, I select a photo, and then that gets sent to the app. Somehow, Apple managed to screw that up.

To your point there are plenty of apps that explicitly operate on the photo reel so the api/permission is needed. Steelmanning the point: plenty of apps request photo permissions that shouldn’t need it. This is really an Apple problem though. They have their selective access option which is a patch on the problem inconvenient for the user. I have two apps that end up requesting photo permissions because basic things like saving or loading a photo require the full set of permissions. I would much rather Apple just have a widget that allows me to pipe that data in as a black box, since the pop up message is distracting and I only need the most basic capability. Instead they do some prop 65 warning where even the most basic and reasonable uses trip the warning and what’s app is allowed to scan your entire library with the same permission.

No, they (and I) want it to work like the web browser file upload component where you don't need to grant permission ahead of time because it's nonsensical.

Imagine if every time you wanted to upload a file online, you first had to allow the one website to access that image first in one menu before you could select the image in the normal file upload menu. That's the UX they're complaining about.

Could what you're saying also be basically, you see your whole photos, your whole gallery but the app itself only has access to the one picture you tap on? That way for the user it looks the same as if the app had access to your whole photos, but the app actually only sees the one you select?

> I click “add photo”, the system dialog opens, I select a photo, and then that gets sent to the app. Somehow, Apple managed to screw that up.

That’s exactly how it works for me in iOS at the moment.

In addition, I can see the list of photos each app has been granted access to in Settings > Privacy & Security > Photos.

But you don’t have to do it ahead of time. When you click add photo, you get the system picker to choose the photo and once you’ve selected what you wanna grant access to, that’s it. Literally not a single menu needs to be opened, nothing needs to be configured.

Any UX other than this is something the app developer has implemented on top. iOS works exactly like you described.

The copy/paste feature is underused on iOS. These days if an app needs access to a photo, I try to determine whether the app uses the system photo picker (which doesn't need the app to have photos permission). If it doesn't I simply use the Photos app to copy a photo and then paste afterwards. A benefit is that you can strip location right from the Photos app. With third party apps like Metapho which can be invoked from the share sheet, you can even strip all metadata before copying.

Some apps like WeChat somehow insist on building on their photo picker and they get the copy/paste treatment.

> I have two apps that end up requesting photo permissions because basic things like saving or loading a photo require the full set of permissions.

Absolutely not. Saving a photo does not need the full permissions. If an app does that, the developer is either ignorant or malicious. I see multiple apps that only have "Add Photos Only" permission including apps like Duolingo that.

Similarly the use case of allowing the user to pick one photo doesn't require any permissions at all. Just use the system photo picker. I post reviews with photos regularly on Google Maps and the Google Maps app doesn't have any photo permissions.

Apple should really had a "strip metadata" option directly in the photos picker widget. It would work well with their privacy marketing.

> It allows you to select which photos an app has access to

Yeah, that's the "limited access" mode but if the app uses the system photo picker[0], the app doesn't need any photos permission to pick a photo. Blame the app developers for not updating their apps (and this has been available since 2021 - they have no excuse.)

> Apps don’t need to request photo library permission when using either class, so the sample app avoids requesting permission until it’s necessary. A camera app, photo editing app, or library browsing app needs to use much more of PhotoKit‘s functionality, but [[an app that’s only setting a basic profile photo doesn’t need photo library permission]].

[0] https://developer.apple.com/documentation/photokit/selecting...

It’s about permissions to read out the photo album to begin with, as well as due to it being a pain to change often leading to whole selections of photos being shared

> plenty of apps request photo permissions that shouldn’t need it

True, and this could maybe be solved by better app store review.

Every app submitted to the app store is reviewed by a human for approval. The reviewers could apply more scrutiny to photo permissions and reject apps whose permissions aren't justified.

So again, how does that work when someone also feels like "There’s no need for apps to access the entire camera roll", am I having reading comprehension problems or is there something else going on here?

They listed what they thought should be the exceptions to the blanket statement.

AFAIK Custom photo pickers access your pictures without (hopefully) doing anything nefarious with it. With that said, 95% of apps that do that should just not use custom file pickers.

Something like "allow app access to last photo" would be ideal for me

FWIW I have a free app installed called iVerify that mostly just reminds me when a new iOS is released but recently I noticed they added a "Strip metadata from photo" feature to the sharing tray, so you can pipe a photo through it and then copy to another app.

Google photos stores your photos in the cloud or constantly tries to force you to backup everything to the cloud.

So no it doesn't need permission to manage your local photos. Upload to Google and manage the photos on the cloud if you trust Google while increasing privacy for everyone else.

The argument for the walled garden is that Apple should be taking these options away from the developer in favor of user security. Yes, blame the developer, but also blame Apple.

Why?

If they have access to the last photo ... every photo you ever took was the last photo. Why mess around giving app's permission to surveil/siphon off your photos at all?

Any carte blanche for apps, and apps will go to great lengths to take advantage of that in unexpected ways, and obscure the fact they are doing so.

And privacy losses can never be verifiably reversed.

All most apps need is for you to select photos to upload/import using an Apple supplied photo selector. So they only see and get exactly what you want them to have.

It does, and location and captions are stripped by default using the system picker. It's the switches icon in the bottom left.

iOS has had a private photo picker for a few years now, where you can pick photos from within an app without giving access to all photos.

WhatsApp doesn’t use it and Apple doesn’t hold them to account over it. So, um, yay? Apps like Signal do use it.

WhatsApp does appear to only have access to a subset of photos on my iPhone.

The UX is a little clunky because you have to “add” a new photo which it can then access, but I prefer the privacy of it.

I use it every time. The alternative is to give Meta access to your whole photo roll, which… they will obviously abuse, whatever toggles you set, right?

It isn’t so bad, but I don’t upload much.

Doesn't strip all metadata, such as make/model, ISO, aperture etc.

Do apps have the option to not use the photo picker? I thought from the app’s point of view, the photos that iOS shows it are all the photos on the filesystem.

You're not understanding the complaint or you have Full Access turned on without realizing it.

Set an app like WhatsApp to No Access or Limited Access.

Now try to upload a photo into chat.

Instead of just presenting you with all of your photos so that you can upload one, you first have to click "Manage" -> "Select more photos" -> "Add the photo".

Now you can select that one photo for upload.

That could obviously be trimmed up into Grant + Upload in a single operation, but instead it's so clunky that people grant Full Access just to avoid it.

It doesn't make much UX sense since I want to push one image into the app one time, while priv granting is for future pull operations that don't make sense 99% of the time.

I saw the canon camera app now needs full access to photos.

It used to just need to add to it.

this means - an external camera that wants to just add photos to the photo roll needs full access to all photos.

Looks like zpempenfish is right- most apps are inappropriately asking for the wrong permissions.

I feel the issue here is apple not enforcing developer guidelines(unless I'm misremembering here too). However, that frequently requires people making a stink. I suspect Apple's legal team has decided not to make an issue off it because of the Epic lawsuit- where public opinion is largely against Apple... even though Apple told Epic to pound sand over issues Epic has paid the FTC _HALF A BILLION DOLLARS_ and counting... to settle. See: https://www.ftc.gov/news-events/news/press-releases/2022/12/...

And to forestall "but apple's cut." Reality check: google's policy is substantially identical, and amazon appstore's was "we'll take 30%, but give 20% back in expiring AWS credit." I'm sure ya'll will let me know of other app stores' policies.

This post really nails it. The fact that access to a user photo is an all or nothing game and the most basic operations require full access is a huge problem in Apple’s ecosystem. Web browsers are able to easily let a 3rd party upload a file without giving access to every single file on your computer. I’m sure there are some reasons why it is not so simple on iOS but it can be done and the current setup is really bad.

Meta: You know, the user might accidentally pick "all photos" and then we get to hoover their photo roll up.

> Instead of just presenting you with all of your photos so that you can upload one, you first have to click "Manage" -> "Select more photos" -> "Add the photo".

That's not a OS limitation, this is a UX dark pattern from WhatsApp that they've purposefully added to make the UX terrible to push people into granting "Full Access".

I just tested it with both "Add Photos Only" and "Limited Access" modes with Signal and iOS does exactly what you described as the perfect UX. It's literally the following:

1) Tap Add Photo in a chat

2) System photo picker appears

3) Select which photo you want in your entire gallery (not limited to photos previously granted to Signal)

4) Photo is sent to chat

Again, this is with both non-Full Access modes. I think your beef is with Meta, not Apple.

Exactly this exists. (It’s called PHPickerViewController). It does not require permissions because the image upload process is explicitly choosing an asset.

Photo centric apps may choose more extensive APIs, but those require OS-level permissions (the user explicitly giving access)

That's what I do. Works great. Yes a couple of extra clicks is annoying, and apps are often "Hey how about you go into settings and let me access all your photos for a better experience!", but I'm happy with 2 or 3 extra clicks the few times a month I share a photo in order to limit access.

If you set the access to “Limited Access”, then that’s what the App has. It’s not a decision for WhatsApp to make - it’s in iOS.

By "needs" I take it that you mean "is programmed in such a way to require" and not that the permissions are required to do the job you are asking of it?

Hmm, I can confirm that Signal does work the way you describe.

It looks like there is a separate API for "Private Access to Photos" that is less common than the UX I describe (WhatsApp, Reddit, Twitter, Discord).

Maybe one thing we can agree on is that if apps have to opt-in to the API that's better for users, then we can also blame Apple.

I use it explicitly for Facebook

Others have already mentioned that this is possible with iOS. iOS 14 introduced a bunch of privacy improvements including the PHPickerViewController, but some apps may not yet be using it. [0]

I will say that in the event that an app is not using PHPickerViewController, sometimes it's still possible to emulate it by exiting the app, going into the photos app, selecting the photo, selecting the little "send" arrow in the bottom left, and then picking the app to send it to. I do this all the time with the Slack app. Copy-and-paste may be another route. Sure, it's a silly workaround for a feature that should have been there from day one, but c'est la vie.

[0] https://developer.apple.com/documentation/photokit/deliverin...

Is this only on iVerify EDR? I can’t seem to find it on the up-to-date basic version.

They shouldn’t even need to access the camera roll at all in the vast majority of cases. The OS should simply pass photos and videos as an input to the app as an explicit user action; the camera roll itself should be a black box as far as the app is concerned.

No, but "photo taken on one of the most common phone models in existence" is not _especially_ identifying.

“Limited access” is an older iOS feature from 2020, and different from the “private access” photo picker introduced with iOS 17[1].

[1] https://developer.apple.com/videos/play/wwdc2023/10053/?time...

Limited access isn’t great UX because it’s not reasonable for users to have to manage a list of photos for every app. The new one is much better, but unfortunately app devs have to opt into it for now.

The subset of photos thing was a relatively clunky addition in iOS 14. iOS 17 introduced a much better picker but devs have to opt into using it for now.

Signal[1] and a bunch of other apps do use the newer iOS 17 picker.

[1] https://ibb.co/KpkfrDMZ

Apple could easily fix this if they allowed apps to specify if they want the first square of the photo picker to be a camera icon (possibly even with a live preview background) or not. That's the #1 reason I see for apps using custom pickers. That or they're married to dogshit cross-platform toolkits.

ios allows the following permissions for your phone photo library:

- no access

- add photos only - can add photos to the library, but not access photos in the library

- limited access- the app can only access the photos you select

- full access - the app can access everything

Canon used to allow limited access. Now it refuses to work without full access to your photo library.

Honestly, it should allow any of those.

Seems you can just `get` the result?

Not sure what I’m missing that means so many apps don’t do this, vastly better UX.

https://github.com/signalapp/Signal-iOS/blob/0151cfdee27cb03...

You’re right! They’re all using the same API, there’s no other better “opt-in” API. Some developers just want to make the UX worse for their own nefarious purposes. Nothing to do with Apple.

Glad to see someone on this site is reading Apple documentation from three years ago

I don't want people to know the precise date time of taking the photo. I don't want people to know whether I'm frugal and staying on iPhone 12 or I splurged and upgraded to iPhone 16 Pro. I don't want people to know the version of iOS I was running. I don't want people to know the name of the software that I used to adjust the curves and white balance.