iOS app can access device photos without notifying a user

The recent mention that iPhone apps can access the entire address book of a smartphone without any notice to the user, as a result of which Apple even received a request from the US Congress, received an unexpected continuation. (Moreover, the problem with the iPhone was one of the reasons for the change of data privacy agreement for mobile applications, which was changed by Google, Apple, Microsoft and several other large companies under pressure from the Attorney General of California).
Guided by so far unclear motives and a source of information, New York Times journalists asked unnamed developers (it is only reported that they work for a well-known company) to write the application “PhotoSpy”, which requests access to information about the location, having received which it is able to copy the user's photo and , in fact, the location data itself on the remote server, without informing the user about it at all. PhotoSpy has not received permission to post on the AppStore; Apple itself has also not yet commented on the actions of journalists.
The problem exists for versions of iOS starting from the 4th, when the system got the opportunity to access the user's photos in order to create more flexible applications. One of the developers advised users who were worried about privacy to turn off the location capabilities of their smartphones, which, in his opinion, would exclude the possibility of potential exploitation of the discovered loophole. In fairness, journalists notice that Apple does not directly prohibit copying photos from the device, relying on the developers in this, however, in fact, no one can stop any of them from creating the corresponding overly “curious” application.
It has also recently become known that a password-protected iPhone can be accessed using simple manipulations with the SIM card.
[ Source]
UPD: Apple has officially recognized the bug and are working to fix it in a future iOS 5.1 update. The company claims that "any program that wants to access contact information must require explicit development from users, this will be implemented in future versions of the software."