Apple came under scrutiny this week after reports about a loophole in iOS that could enable rogue apps to access a user's entire photo library and copying the data to a remote server without any notice. Making matters worst the news came weeks after the revelation that Path and other popular iOS apps were accessing and copying people's address book information without their knowledge.
Well, it turns out iOS is not alone -- at least on one of these cases. According to a follow up investigation by The New York Times, by design Android apps do not need permission to get a user's photos, and as long as an app has the right to go to the Internet, it can copy those photos to a remote server without asking.
To demonstrate the loophole, Ralph Gootee, an Android developer and chief technology officer of software company Loupe, put together a test application that's supposed to be a simple timer. Upon installation the app asks for permision to access the Internet, but says nothing about photos. Then, when the app is launched and a timer is set, it goes into the photo library and posts the most recent image onto a public photo-sharing site.
There have been no reports of any Android apps actually doing this, but it's still worth taking this loophole seriously. After all, what business does a timer app have sorting through your photos without asking?
According to a Google spokesperson, the lack of photo restrictions was a design choice related to the way early Android phones stored data. "We originally designed the Android photos file system similar to those of other computing platforms like Windows and Mac OS. At the time, images were stored on a SD card, making it easy for someone to remove the SD card from a phone and put it in a computer to view or transfer those images."
The company said that as phones and tablets have evolved to rely more on built-in, non-removable memory, they'll have to take another look at this and will consider adding restrictions to access images.
Google added that they also have a policy of removing apps from the Android Market that improperly access personal data, something that they highlighted recently with the introduction of Bouncer.