Since moving to Germany, one stark difference I have noticed between Germans and Americans is a focus on data privacy. Sure, Facebook and other social media are still popular here, but Germans, and Europeans in general, are more concerned about keeping personal data private.

I’ve also noticed a shift in my thinking. While living in the US, I was a fairly heavy Facebook user. Over the last few years, though, I seldom log in and even more rarely post anything.

Recent news about the Facebook “leaks” and their scope only confirm that my conscious effort to stay away is the right decision – for me.

Earlier this year, my neighbor and I were chatting and the conversation turned to smartphones and data privacy. Our smartphones have so much personal and potentially sensitive information about us, it can be scary to think of it at times.

During our conversation, we explored how giving 3rd party apps access to certain features and sensors could potentially be misused. I then started wondering exactly how secure is the metadata from my photos. For instance, if I give an app access to my photo library, could it extract metadata (including GPS coordinates) from all photos or just the ones I used within the app?

It’s time for a test app!

As a developer, I knew I could find this out by writing a simple app. The app would request permission to the photo library and, upon receiving it, would see which metadata it could extract from which photos.

The results somewhat surprised me. The app could read metadata from every single photo in the library very quickly. And, since GPS was enabled for the camera app, I could see where I was at which time each photo was taken. I could recreate a substantial portion of my life.

Turns out, had I done a little searching beforehand, I could have found Felix Krause’s blog post on the exact same subject, complete with a test app similar to mine. Oh well, it was still fun to figure it out for myself.

Consequences of my test

First and foremost, I immediately removed photos permissions from WhastApp, Slack, Twitter, etc. I don’t have Facebook installed on my phone, but I need WhatsApp. Many people can only (easily) be reached there.[1]

This brought up a problem, though. I still want to share photos through these services.

I don’t want to turn off GPS recording for photos. I find the information interesting to view. It’s also useful as I can search photos by location.

A solution is to use the share sheet via the photos app to only send certain photos to the social apps when necessary. The apps would still be able to extract metadata for any shared photos but not for the entire photo library.

This is good start. But we can do better.

Workflow

I started thinking about a Workflow that would strip metadata from photos. And then… I made one.

The 3-step workflow is quite simple. It:

1. Gets the input image
2. Strips the metadata
3. Brings up the share sheet

Here’s a a quick example of this workflow in action

Step by step, I:

1. Tap the share button for the photo I want to send from the Photos app
2. Then tap Run Workflow from the bottom row of the share sheet
3. Choose the Remove EXIF and Share workflow
4. Select the app to send the metadataless[2] photo

It’s a bit more work and can be confusing, since the share sheet is presented twice during this process. But that’s a small price to pay to restrict the amount of data these apps can collect.

Save photo workflow

I also created a similar workflow that saves a copy of a photo without metadata for rare situations, which may require me to do so.

It works similarly to the other one.

---

While it’s too late for any photos I took prior to revoking photo library permissions from these apps, at least I can feel better about all photos going forward. My privacy is certainly better protected now than it was a year ago.

Thoughts or suggestions to improve this workflow? Find me on Twitter. I’m @yonomitt.

Have a nice day,
Yono