Ente Photos includes photos in backups, possibly exposing them unencrypted to Apple

[gitgizmo7]

Description

I noticed that when Ente Photos is included in iCloud backup, it includes several hundred megabytes of data, which didn't seem right if it only included basic configuration data as I would expect. My main concern with this is that Apple can access backups if Advanced Data Protection is not enabled, raising privacy concerns and undermining Ente's promise that only the user (not any cloud provider) can access their photos. While I can't explore iCloud backups directly, I took a backup to my Mac and uncovered several worrying or unnecessary things included in the backup:

1. Face recognition thumbnails. This exposes the people stored in the user's library.
2. Cached data from the Share Extension. This included several entire photos imported via the share extension, which should not be backed up to iCloud given that they could be sensitive.
3. A general database (ente.files.db), containing possibly sensitive metadata such as GPS coordinates for certain photos
4. ML models. This is not a privacy concern, but likely contributes to the hundreds of megabytes stored in iCloud, and is unnecessary to back up individually for each user.

From my understanding, there are ways to exclude certain data from backups, and I saw these in use in a few places throughout the codebase, but it does not appear to cover all cases where user photos and sensitive data could be backed up unencrypted via iCloud Backup.

If I'm incorrect and these files do happen to be properly excluded from iCloud Backup yet not from iTunes Backup, please feel free to disregard. However, I still feel that this is worth looking into as I did not like what I was able to extract from a backup, assuming that this data is also included in unencrypted iCloud backups.

Version

1.3.24

What product are you using?

Ente Photos

What platform are you using?

Mobile - iOS

[lumm2509]

Hi! I went down a bit of a rabbit hole after reading this issue, so there’s a decent chance I’m misunderstanding something here

From what I can tell, it looks like some of the app’s directories (especially under Documents/ and maybe Library/Application Support/) might be getting included in iOS backups by default.

I noticed things like:

• Documents/person-face-thumbnail-cache/ (face thumbnails)
• Documents/ente-shared-media/ (media from the share extension before upload)
• several SQLite DBs under Documents/ (ente.files.db, ente.ml.db, etc.)

My understanding is that anything in those locations gets backed up unless it’s explicitly excluded (for example via NSURLIsExcludedFromBackupKey). If that’s true, some of this data might end up in iCloud backups and local backups as well.

This is where I might be completely off, but if not, it seems like this could include things like thumbnails, temporary media, or metadata that isn’t encrypted in the same way as uploaded photos. Especially in setups without Advanced Data Protection.

Totally possible I missed something obvious in the codebase or there’s already some exclusion happening at runtime and I just didn’t see it.

If not, maybe it would make sense to:

• explicitly exclude some of these directories from backups, or
• move more of this data into Library/Caches/ if it’s regenerable

Anyway, could be wrong here, just wanted to share what I found in case it’s useful