- MCMMetadataIdentifier key
What is Photo-Picker?
|"User Selected" User Intent" - Apple WWDC 2021|
Bless the Apple dev's and their naming conventions. This plugin does exactly what it's called. The short version, for those not wanting to watch the video linked below, is this plugin was introduced in iOS 14 as a "privacy" feature. Photo-Picker allows applications access to a user's native Photo application, where a user can "Pick" the "Photo" (or video) they would like the app to specifically have access to.
Attached is a link to Apple's WWDC 2020 video further detailing the implementation of the Photo-Picker Plugin. Meet the New Photo Picker iOS 14.
Additional information related to the Photo-Picker can be found on the Apple PhotoKit Developers page under the Photos Picker topic.
How do the files get here?
One can assume, looking at the plugin name and the Apple developer video, files get here when interacted with by the user and an application. We've all heard the old adage about what happens when you assume something so lets take this a step further.
- Apple iPhone 8 [iPhone10,1 D20AP]
- iOS 14.4.2
- Filza: v 3.8.1
- Kik: Display v. 16.1.0 Internal v. 18.104.22.16879
- Safari: Display v 14.4
- Mail: Display v. 1.0.0 Internal v. 3622.214.171.124.23
- Apple iPhone 6s [iPhone8,1 N71AP]
- iOS 15.4.1
- Kik: Display v 16.1.5. Internal v. 126.96.36.199905
- Safari: Display v 15.4 Internal v. 86188.8.131.52.8
- Mail: Display v. 1.0.0 Internal v. 36184.108.40.206.2
- Axiom Process and Examine v220.127.116.11091
In the beginning stages of research, I tested various applications in an attempt to trigger data being written to */Containers/Data/PluginKitPlugin/<Application GUID>/tmp/. Very early on the only application I ever got results from was Kik.
Since many applications failed to ever write data to this location (more on that later) I focused on what specifically in the Kik application triggered Photo-Picker.
I ran a series of test within the Kik application to see what writes and what doesn't.
Pressing the icon above and selecting a video triggers the Photo-Picker UI
Within this UI the option to trim the video file is present. The user must
further select the Choose option. At this point the UI indicates
the video is Compressing and displays a progress bar. Once compression is completed the file is written to the
*/Containers/Data/PluginKitPlugin/<Application GUID>/tmp/ folder. This is demonstrated in the video below:
NOTE: The video was recorded on the jailbroken iOS 14.4.2 test device utilizing the Filza application to monitor the /tmp/ folder. Multiple times throughout the video this folder is refreshed to show no files present. This further demonstrates the Photo-Picker plugin does not write any data until Choose and Compressing actions are completed.
Allowing Kik access to all Photos and selecting media through the attachment bar.
Forwarding a video from one Kik message to another.
Copying Media from another application i.e. iMessage, Files, and Mega.
Selecting a file over 10 minutes in length (This does not trigger the same UI as Photo-Picker so files are written to the Kik application folder and not */Containers/Data/PluginKitPlugin/<Application GUID>/tmp/)
With testing completed on iOS 14 I turned my attention to iOS 15. I ran the same series of Kik test as presented earlier. After receiving the same results I decided to focus my attention on something I noticed in the Apple WWDC 2021 video. Apple now includes a listing under Settings > Privacy > Photos which indicates "Apps with One-Time Photo Selection"
Mail is not listed under "Apps with One-Time Photo Selection"
- Some EXIF data will carry over with the video.
- Video files may persist for months. In testing I have seen files dating back almost 1 year.
- If the file still exist in the users Photo application and can be located
through visually similar or other means you MAY be able to corroborate
"Last Share Data" information from Photos.sqlite.
- Apple may be allowing developers to implement this plugin and write the files within their perspective application folder.. Thanks to Scott Koeing (Twitter @Scott_Kjr) for pointing out applications like Twitter and GroupMe have features that will trigger Photo-PickerUI and save the video in the following locations:
Containers\Data\Application\ <GUID>\tmp\trim. <GUID/UUID>.mov
- Twitter: \private\var\mobile\
Containers\Data\Application\ <GUID>\tmp\trim_ <GUID/UUID>.mov
- If the application that wrote the file is removed the files will persist if stored in */Containers/Data/PluginKitPlugin/<Application GUID>/tmp/
- Developers also implement this feature in different ways. As With Kik and Mail a user has multiple ways to select a video file. Not all of these will trigger a write to */Containers/Data/PluginKitPlugin/<Application GUID>/tmp/.
- Within the apps test it appears Photo-Picker does not present videos stored in shared albums.
- After discovery of Safari and Mail on iOS 15.4.1 the test was recreated on the iOS 14.4.2 test device and successfully wrote to */Containers/Data/PluginKitPlugin/<Application GUID>/tmp/
- Will contain stored videos that have been created using the Photo-Picker UI.
- Videos will follow the naming convention trim.<GUID/UUID>.mov
- Example trim.19CF656E-74C5-4585-9C32-E4EE35C8E9C9
- If the same video file is chosen more than once, it will be assigned a new unique file name <trim.GUID.mov>. If and when a hash comparison is made, the hashes will be different, even if the same original file was chosen by Photo-Picker to be shared.
- Timestamps for the files will correspond to when the Choose option is selected.
- Videos will persist even if original media in Photos application is removed, or the application that interacted with Photo-Picker is uninstalled.