Sign in with
Sign up | Sign in

Not Just iOS: Android Apps Can Secretly Copy, Upload Photos

By - Source: The New York Times | B 37 comments

Oh my. More invasion of privacy talk thanks to Android app permissions.

Following reports that iOS apps have access to pictures stored on the device as long as the owner approves the use of location data, the New York Times reports that Android apps take this violation of privacy one step further.

According to the paper, apps developed for Google's mobile OS do not need permission to gain access to photos as long as they have the green light to access the Internet. Even more, these photos can be copied and uploaded to a remote server without the user's knowledge.

Lookout, the security firm known for its self-titled antivirus solution for Android, actually discovered this horrific flaw. "We can confirm that there is no special permission required for an app to read pictures,” said Kevin Mahaffey, chief technology officer of Lookout. "This is based on Lookout’s findings on all devices we’ve tested."

To show how vulnerable images are on Android devices, Ralph Gootee, an Android developer and chief technology officer of the software company Loupe, created a simple timer app that produced a notification only asking for access to the Internet -- photo access was not requested. Once the user installed the app and set the timer, it secretly went into the photos folder, retrieved the most recent image, and uploaded it to a public photo-sharing site. Good thing it was only a test.

"Photos if anything are the most personal things," Gootee said. "I’m really kind of shocked about this."

Google has reportedly acknowledged this serious gap in permissions and said it would consider "changing its approach." The problem actually stems back to the first Android smartphones which could put photos on a removable memory card. This complicated the issue of photo access, especially when multiple cards came into play, so Google simply chose to design app permissions with a lack of restrictions in regards to accessing photos.

"We originally designed the Android photos file system similar to those of other computing platforms like Windows and Mac OS," the spokesman told the paper. "At the time, images were stored on a SD card, making it easy for someone to remove the SD card from a phone and put it in a computer to view or transfer those images."

But now that phones and tablets rely more on built-in, non-removable storage, Google is now taking a look at this specific gap in permissions and considering adding a new rule for app access. "We’ve always had policies in place to remove any apps on Android Market that improperly access your data," the spokesman added.

Google's explanation seems to contradict what company spokesman Randall Sarafa said last week after Apple, Google and other companies came to an agreement with California's attorney general on privacy protection within apps.

"From the beginning, Android has had an industry-leading permissions system which informs consumers what data an app can access and requires user approval before installation," Sarafa said, referring to Google's strict rules on app permissions.

Display 37 Comments.
This thread is closed for comments
  • -9 Hide
    coreym72 , March 2, 2012 3:14 PM
    Android and Google can have all the access they want as long as the option boxes appear for each download with the understating of the required permissions. I'm set!
  • 6 Hide
    amk-aka-Phantom , March 2, 2012 3:16 PM
    How long will it take for the people to understand that NO data stored on a device with Internet access and installed software, the source code of which you haven't personally went through, will NEVER be secure/safe/private?

    :D 
  • -1 Hide
    ap3x , March 2, 2012 3:30 PM
    At least the truth is coming out. We should all know about this stuff so we can make a decision weather or not this is acceptable or not and allow us to make more informed decisions about the devices we want to use. This for me is a deal breaker mainly because if their is no authorization required to access photos, what else could be accessed just by virtue of having a data connection. I would be curious if they are digging a bit further into this to find out other things that have the same authorization issue.
  • 5 Hide
    de5_Roy , March 2, 2012 3:31 PM
    android is from google. what else people expected?
  • -1 Hide
    tonytopper , March 2, 2012 3:42 PM
    Couldn't most Windows "apps" you install do this? Haven't they always been able to do this?

    I wouldn't be surprised if the same is true for Macs and even Linux machines.
  • 7 Hide
    ap3x , March 2, 2012 3:53 PM
    Potentially yes but there are applications that allow you to secure that and control outbound access from an application. Not so on a Phone or Tablet.
  • -4 Hide
    frozonic , March 2, 2012 3:55 PM
    come on.... we all know EVERY IT company spy its users but the information they get its not used for bad purposes, they use that info to make a "newer and better" device the next year, yeah, i know its iligal but who says life is fair?
  • 0 Hide
    Anonymous , March 2, 2012 3:58 PM
    hmm, thats just scratching the surface. combine this with the fact that on android phones you now have the ability to capture screenshots (and on some tablets, an easy on-screen button to do it every time you accidentally brush your wrist against it), its not just photos, but screenshots of your most encrypted secure and sensitive apps can now be mined by rogue apps.
  • 4 Hide
    zak_mckraken , March 2, 2012 4:09 PM
    I'm shocked for 2 reasons : first, I don't like the fact that my private pictures (not to mix with pictures of my privates) are sent everywhere for some voyeur to see. Second: bandwidth.

    I hope Google doesn't intend to talk their way around this and will actually fix this by clearly requesting permission.
  • 3 Hide
    Anonymous , March 2, 2012 4:22 PM
    Every computer is vulnerable to this, really. It's just files on the file system. If the user has rights to that folder, than any app that runs under that user also has rights to that folder.

    This isn't an Android problem but the nature of how computers work.

    And really, how useful would a computer be if programs can't access the file system?
  • 0 Hide
    house70 , March 2, 2012 4:55 PM
    anonimus cwardhmm, thats just scratching the surface. combine this with the fact that on android phones you now have the ability to capture screenshots (and on some tablets, an easy on-screen button to do it every time you accidentally brush your wrist against it), its not just photos, but screenshots of your most encrypted secure and sensitive apps can now be mined by rogue apps.

    yeah, because that's what any person with common sense would do: take screenshots of their " most encrypted secure and sensitive apps"... geez. If you do that, you really need a reality check, even if it comes as a photo leak.
  • -4 Hide
    house70 , March 2, 2012 4:57 PM
    What one needs is a firewall app. Google it and install it. Stop b1tching.
  • -3 Hide
    Anonymous , March 2, 2012 5:14 PM
    All the files on your SD card are readable by default in Android. If your pictures are stored there, then they are readable. This has been the way it has been done since 1.0. This is no different from an SD card plugged into your computer.

    For onboard memory, the application can restrict file access with greater granularity, (because you aren't restricted primarily to FAT32 like on the SD card).
  • -5 Hide
    greenspoon , March 2, 2012 5:19 PM
    It is really funny to me how this is ok, since it is google. When this was Apple being accused of this it was terrible and underhanded.
  • 6 Hide
    igot1forya , March 2, 2012 5:32 PM
    greenspoonIt is really funny to me how this is ok, since it is google. When this was Apple being accused of this it was terrible and underhanded.

    I think the idea is that Android people know what there getting into - Apple people don't. It's like giving a loaded gun to a baby or something. :) 
  • 6 Hide
    eddieroolz , March 2, 2012 5:34 PM
    What did you expect from Google? They have a legion of fanboys that are as vicious and blind as Apple loyalists. But like few other commentors above have said, it's very alarming that people think it's okay because this is from Google. That's a double standard. No one should be applying a double standard, especially not to companies.

    This is the kind of things that makes me very happy that I'm using a BlackBerry now, with its secure system and explicit permission control.
  • -4 Hide
    blazorthon , March 2, 2012 5:53 PM
    I thought we already knew that Google allowed this stuff simply because it is a Google device. Google isn't shy about invading our privacy and/or allowing others to invade our privacy.

    I still have an Android, but I most certainly watch what I do and say on it even more so than I watch myself on my PCs.
  • -4 Hide
    cold fire , March 2, 2012 5:58 PM
    greenspoonIt is really funny to me how this is ok, since it is google. When this was Apple being accused of this it was terrible and underhanded.


    Seriously, when it was Apple the tone was much more aggressive but now this is happening on a Google platform it's ok and just how computers work! The Google droids are starting to disgust me more than the iSheep ever had.
  • 1 Hide
    blazorthon , March 2, 2012 6:04 PM
    Also, I'm not forgiving Google nor Apple here, it's just that we have heard so much about this, it has kinda lost the surprise it once had. This is alarming and I also consider it alarming that some Google fans don't mind Google doing/allowing this stuff as much as they mind Apple, and the same for Apple fans to Google, but really... Google, overall, seems to be a somewhat better company than Apple.

    Google at least tries (tried?) to embrace their fans and such rather than outright controlling them. Google doesn't necessarily put stuff and watch our every move all of the time, just for Google services. Google allows other groups such as the wireless companies to do it and that is still bad, but Apple does everything themselves and tries to keep it that way. Both companies should stop invading privacy, but that just isn't going to stop no matter what we say.

    We, as the more tech savvy people, can be as alarmed as we want to be, but the majority of users need to be alarmed too, or at least a lot of them. Otherwise, Google and Apple just don't care. Same thing goes for the wireless companies and more.

    The best we can do is just not do anything we really don't want someone else to see on the phones. I don't do anything that involves my personal data, nothing about any bank accounts and such on my phone and that probably won't ever change.

    Programmers among us can help out more by writing code that stops some/all of the crap that we would otherwise need to put up with, but even the average techy only knows so much about programming.
  • 2 Hide
    ap3x , March 2, 2012 6:05 PM
    igot1foryaI think the idea is that Android people know what there getting into - Apple people don't. It's like giving a loaded gun to a baby or something.


    This idea that "Apple People" somehow do not know what they are getting into is absolutely ridicules. Please explain that. You knew about this issue about Android already?

    Here is a fact, we on Toms Hardware and other technical sites represent less than 5% of the total user base for both IOS and Android devices. So your logic and others that say the same stupid crap about everything Apple is completely wrong and not based on anything measurable. Just another Android flag waiving statement that does not do anyone any good.
Display more comments
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter