Following reports that iOS apps have access to pictures stored on the device as long as the owner approves the use of location data, the New York Times reports that Android apps take this violation of privacy one step further.
According to the paper, apps developed for Google's mobile OS do not need permission to gain access to photos as long as they have the green light to access the Internet. Even more, these photos can be copied and uploaded to a remote server without the user's knowledge.
Lookout, the security firm known for its self-titled antivirus solution for Android, actually discovered this horrific flaw. "We can confirm that there is no special permission required for an app to read pictures,” said Kevin Mahaffey, chief technology officer of Lookout. "This is based on Lookout’s findings on all devices we’ve tested."
To show how vulnerable images are on Android devices, Ralph Gootee, an Android developer and chief technology officer of the software company Loupe, created a simple timer app that produced a notification only asking for access to the Internet -- photo access was not requested. Once the user installed the app and set the timer, it secretly went into the photos folder, retrieved the most recent image, and uploaded it to a public photo-sharing site. Good thing it was only a test.
"Photos if anything are the most personal things," Gootee said. "I’m really kind of shocked about this."
Google has reportedly acknowledged this serious gap in permissions and said it would consider "changing its approach." The problem actually stems back to the first Android smartphones which could put photos on a removable memory card. This complicated the issue of photo access, especially when multiple cards came into play, so Google simply chose to design app permissions with a lack of restrictions in regards to accessing photos.
"We originally designed the Android photos file system similar to those of other computing platforms like Windows and Mac OS," the spokesman told the paper. "At the time, images were stored on a SD card, making it easy for someone to remove the SD card from a phone and put it in a computer to view or transfer those images."
But now that phones and tablets rely more on built-in, non-removable storage, Google is now taking a look at this specific gap in permissions and considering adding a new rule for app access. "We’ve always had policies in place to remove any apps on Android Market that improperly access your data," the spokesman added.
Google's explanation seems to contradict what company spokesman Randall Sarafa said last week after Apple, Google and other companies came to an agreement with California's attorney general on privacy protection within apps.
"From the beginning, Android has had an industry-leading permissions system which informs consumers what data an app can access and requires user approval before installation," Sarafa said, referring to Google's strict rules on app permissions.