Not Just iOS: Android Apps Can Secretly Copy, Upload Photos

Following reports that iOS apps have access to pictures stored on the device as long as the owner approves the use of location data, the New York Times reports that Android apps take this violation of privacy one step further.

According to the paper, apps developed for Google's mobile OS do not need permission to gain access to photos as long as they have the green light to access the Internet. Even more, these photos can be copied and uploaded to a remote server without the user's knowledge.

Lookout, the security firm known for its self-titled antivirus solution for Android, actually discovered this horrific flaw. "We can confirm that there is no special permission required for an app to read pictures,” said Kevin Mahaffey, chief technology officer of Lookout. "This is based on Lookout’s findings on all devices we’ve tested."

To show how vulnerable images are on Android devices, Ralph Gootee, an Android developer and chief technology officer of the software company Loupe, created a simple timer app that produced a notification only asking for access to the Internet -- photo access was not requested. Once the user installed the app and set the timer, it secretly went into the photos folder, retrieved the most recent image, and uploaded it to a public photo-sharing site. Good thing it was only a test.

"Photos if anything are the most personal things," Gootee said. "I’m really kind of shocked about this."

Google has reportedly acknowledged this serious gap in permissions and said it would consider "changing its approach." The problem actually stems back to the first Android smartphones which could put photos on a removable memory card. This complicated the issue of photo access, especially when multiple cards came into play, so Google simply chose to design app permissions with a lack of restrictions in regards to accessing photos.

"We originally designed the Android photos file system similar to those of other computing platforms like Windows and Mac OS," the spokesman told the paper. "At the time, images were stored on a SD card, making it easy for someone to remove the SD card from a phone and put it in a computer to view or transfer those images."

But now that phones and tablets rely more on built-in, non-removable storage, Google is now taking a look at this specific gap in permissions and considering adding a new rule for app access. "We’ve always had policies in place to remove any apps on Android Market that improperly access your data," the spokesman added.

Google's explanation seems to contradict what company spokesman Randall Sarafa said last week after Apple, Google and other companies came to an agreement with California's attorney general on privacy protection within apps.

"From the beginning, Android has had an industry-leading permissions system which informs consumers what data an app can access and requires user approval before installation," Sarafa said, referring to Google's strict rules on app permissions.

Create a new thread in the Streaming Video & TVs forum about this subject
This thread is closed for comments
    Your comment
  • coreym72
    Android and Google can have all the access they want as long as the option boxes appear for each download with the understating of the required permissions. I'm set!
  • amk-aka-Phantom
    How long will it take for the people to understand that NO data stored on a device with Internet access and installed software, the source code of which you haven't personally went through, will NEVER be secure/safe/private?

  • ap3x
    At least the truth is coming out. We should all know about this stuff so we can make a decision weather or not this is acceptable or not and allow us to make more informed decisions about the devices we want to use. This for me is a deal breaker mainly because if their is no authorization required to access photos, what else could be accessed just by virtue of having a data connection. I would be curious if they are digging a bit further into this to find out other things that have the same authorization issue.