Android apps can access your smartphone's photos too

By on March 2, 2012, 10:36 AM

Apple came under scrutiny this week after reports about a loophole in iOS that could enable rogue apps to access a user's entire photo library and copying the data to a remote server without any notice. Making matters worst the news came weeks after the revelation that Path and other popular iOS apps were accessing and copying people's address book information without their knowledge.

Well, it turns out iOS is not alone -- at least on one of these cases. According to a follow up investigation by The New York Times, by design Android apps do not need permission to get a user's photos, and as long as an app has the right to go to the Internet, it can copy those photos to a remote server without asking.

To demonstrate the loophole, Ralph Gootee, an Android developer and chief technology officer of software company Loupe, put together a test application that's supposed to be a simple timer. Upon installation the app asks for permision to access the Internet, but says nothing about photos. Then, when the app is launched and a timer is set, it goes into the photo library and posts the most recent image onto a public photo-sharing site.

There have been no reports of any Android apps actually doing this, but it's still worth taking this loophole seriously. After all, what business does a timer app have sorting through your photos without asking?

According to a Google spokesperson, the lack of photo restrictions was a design choice related to the way early Android phones stored data. "We originally designed the Android photos file system similar to those of other computing platforms like Windows and Mac OS. At the time, images were stored on a SD card, making it easy for someone to remove the SD card from a phone and put it in a computer to view or transfer those images."

The company said that as phones and tablets have evolved to rely more on built-in, non-removable memory, they'll have to take another look at this and will consider adding restrictions to access images.

Google added that they also have a policy of removing apps from the Android Market that improperly access personal data, something that they highlighted recently with the introduction of Bouncer.

User Comments: 6

Got something to say? Post a comment
mario mario, Ex-TS Developer, said:

From Nilay Patel: "BREAKING NEWS: Every Mac OS X app can view all your photos!" source: [link]

This non-sense about "vulnerabilities" where apps can access your local data should stop. Every desktop app has access to your whole hard drive and no body is complaining.

lipe123 said:

Hah yes soon mobile OS' will be like Vista.

"are you sure you wanted to touch the screen"

"Should app X be allowed to do Y"

"Invalid user, you installed a random app that obviously looks suspect -change user and lick screen to continue"

Butch said:

Well I guess I should stop taking pics of my HUGE bowel moments with my phone..

Guest said:

there should be an easy way to control at the very least, general aspects of what an app can do when you install it. like hit a button to uncheck it from having access to txts or for browsing history or whatever. and what I mean by easy is built into android itself. not some rooted app. If the app cant function with certain permissions, it should either not run or you can just reinstall and check the needed permissions. Most apps have the exact same permissions checked anyways so its impossible to tell what it can actually do without some research. it really just makes the install page useless. Dont tell me what vague permissions a calendar app can do if it has the same permissions as, say, the facebook app.

Am I the only one who thinks this is annoying?

Guest said:

As a developer, I would say android OS is by far more insecure than ios. There are two reasons for this. IOS reviews the apps, android is a self publishing process. Second, the average user will not pay attention to permissions on install, and most users don't monitor "scary apps", or apps with a long list of scary permissions. This is a double whammy. Most developers rely on ad revenue, so users are accustomed to accepting internet permissions. It would be trivial to traverse the media database and send pictures/thumbnails over a socket connection. Users cannot view network traffic unless rooted, so you might as well assume its happening.

Guest said:

im on windows Phone anyway :)

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.