A loupe over the data iOS never asked about

Opening Claim

Loupe is an iOS application. Its stated function is to show the user what a native app can observe about them and their device. The relevant finding is not what Loupe sees. The finding is that an app had to be built to make that surface visible at all.

A permission prompt is the only signal most users receive about what an application accesses. Camera, microphone, location, contacts, photos. Each carries a dialog and a decision point. Loupe operates against the data that carries no dialog. It reads the context the operating system exposes by default and presents it back to the user as evidence. That evidence is the argument.

This is not an awareness gap. Framing it as awareness assumes the user could have known and failed to look. The user was never given the boundary to inspect. The position here is direct. The consent model on the platform covers a narrow set of high-signal sensors and leaves a large contextual surface open with no notification, no toggle, and no record. That is a trust boundary failure, and it is structural.

The Original Assumption

The operating assumption is that the permission prompt defines the limit of access. If an application did not ask, it cannot see. If the user declined, the refusal holds. This model is reinforced by the platform itself through privacy labels, the location indicator, and tracking prompts. Each of these tells the user that access is gated and that the gate is theirs to control.

The assumption extends from access to consent. Users treat the absence of a prompt as the absence of collection. No dialog is read as no data. The mental model is binary. Granted or denied, on or off. Under that model, a user who grants nothing assumes they have exposed nothing.

The third part of the assumption is purpose. Native apps are described as built for convenience, and the user assumes the data an app reads maps to the function it performs. A weather app reads location to return weather. A keyboard reads input to type. The assumption is that access is scoped to the stated job. Identity, in this model, is something the user hands over deliberately and in pieces. The boundary is assumed to sit at the prompt, and the prompt is assumed to be complete.

What Changed

Loupe demonstrates that the readable surface is wider than the prompt. Device and system attributes, motion and sensor signals, network type, locale, time zone, battery and storage state. These categories are observable to a native app without a permission dialog. Loupe reads them and displays them. The observable behavior is simple. Data the user never granted appears on screen, sourced from the same app context any other application runs in.

Where there is no prompt, there is no decision point. Where there is no decision point, there is no consent. The control the user believed they held does not extend to this surface, because the control was only ever the prompt. A toggle that was never offered cannot be set to off. The result is collection without notification and without an opt out. A control that does not cover the behavior it is assumed to govern is not a partial control. It is an absent one.

The consequence is profiling. Individually, these signals look low value. Aggregated, contextual attributes form a fingerprint capable of identifying and tracking a device across sessions without any identifier the user can see or revoke. The shift is in the user’s position. The assumption was that they were using an app. What Loupe shows is that they are also a measured subject, read by the same context they treated as a tool. Whether any specific app transmits or retains this data is not confirmed from Loupe’s demonstration alone. What is confirmed is that the access exists, requires no consent, and leaves the user no point at which to refuse.

Mechanism of Failure

The control is the prompt, and the prompt is an enumeration. Camera, microphone, location, contacts, photos. Enforcement exists at each named item and nowhere else. Access is gated per sensor against a fixed list, and that list defines the entire reach of the control. Anything the list does not name is not denied. It is readable by default. The failure is not a rule applied incorrectly. The failure is the default state. The contextual surface sits open at app context, and the prompt was never positioned to cover it.

The observable behavior is direct. Loupe runs in the same app context as any installed application and renders device and system attributes, motion and sensor signals, network type, locale, time zone, battery and storage state. No dialog precedes the read. What appears on screen is data present without a grant. This establishes that the read path exists and requires no decision from the user. A gate that is never presented cannot be closed. The absence of the prompt is the absence of the control, not a reduced form of it.

This is a fail-open design. The enforced set is finite and named. The unenforced set is everything else and unnamed. A control that defaults to permit on the larger surface inverts the posture the user was told they held. The user believed deny-by-default with explicit grants. The actual posture is permit-by-default with explicit denials on a short list. There is also no record. The reads leave no log the user can inspect, no toggle, no notification. A control that does not register its own use cannot be audited, and a surface that cannot be audited cannot be governed. A control that is not enforced is not a control. On this surface it is not enforced.

The Parallel Pattern

The pattern is enforcement by enumeration against a default-open surface. Wherever a control is implemented as a list of points that get checked, the unlisted remainder becomes the operative surface. The control is judged by what it stops at the named points. The exposure is set by everything it never names. The named points hold attention. The default behind them carries the risk. This is the same mechanism Loupe makes visible, stated in general form.

The placement changes, the mechanism does not. Egress filtering that blocks a set of known destinations and permits the rest treats the allow path as the default, and the traffic that matters is the traffic no rule named. Authorization that checks a list of sensitive endpoints and leaves unlisted endpoints reachable places the boundary at the named routes, and the reachable remainder is the access path. In each case enforcement is real at the points it covers and absent everywhere else, and the absence is silent. The unenumerated path generates no decision and no record, so its use looks identical to no use. That trait is what carries across. The failure does not announce itself.

The aggregation property follows the same mechanism. Each unenumerated read looks individually low value, which is the reason it was left off the enforced list. The decision not to gate a signal is a judgment that the signal is not sensitive in isolation. Combined, the same signals form a fingerprint that identifies and tracks a device across sessions with no identifier the user can see or revoke. The mechanism turns the rationale for leaving the surface open into the reason the surface is dangerous. Low individual value justified default-allow. Aggregation is where the value is realized. Whether a given app performs that aggregation and retains or transmits the result is not confirmed. That the surface supports it without consent is confirmed.

Hard Closing Truth

The consent model on this platform gates a fixed set of high-signal sensors and treats the remaining readable surface as open by default. That is the finding. It is not an awareness problem, because the user was given no boundary to be aware of. It is not a misconfiguration, because nothing was set wrong against the model. The model itself defaults to permit on contextual data. The boundary the user was shown is the prompt. The boundary that governs the contextual surface does not exist. There is no consent on this surface, because there is no point at which consent could be given or refused.

What must now be true. Absence of a prompt cannot be read as absence of collection. For any risk model, default-readable contextual data is collected data, because the read requires nothing and leaves no trace. The boundary has to move from the sensor to the data. That means deny-by-default across the full readable surface with explicit grants, not a short list of gates over an open remainder. A consent model that does not cover the data it is assumed to govern is decorative. Until the default is deny and the access is recorded, the platform’s privacy controls describe an intention, not an enforced limit.

Identity is the boundary, and on this surface the boundary is not held. A device that can be fingerprinted from ungated contextual signals carries an identity it did not assign and cannot revoke. The user’s position is fixed by the mechanism, not by any single app’s behavior. They are readable whether or not they are read. Loupe’s contribution is narrow and exact. It proves the surface is reachable without consent and returns it as evidence. A control covering only what carries a dialog, over a context that exposes far more without one, is not a privacy control. It is a label. If the system allows the read, the read will happen, and on this surface the system allows it.