Android also has photo loopholes - Bend Bulletin

From left: a screen grab of an Adroid phone photo gallery; a simple timer app made by a developer that can take photos from the phones of unwitting users; the timer app’s permissions mentioning that it would access the Internet but saying nothing about photos; a photo that the timer app pulled from the phone and uploaded to the imgur website.
New York Times News Service

By Brian X. Chen and Nick Bilton / New York Times News Service

Published: March 02. 2012 4:00AM PST

advertisement: '); //-->

It’s not just Apple. Photos are vulnerable on Android phones, too.

Developers who make applications for Apple mobile devices have access to a person’s entire photo library as long as that person allows the app to use location data, as The New York Times reported this week. It turns out that Google, maker of the Android mobile operating system, takes things one step further.

By design, Android apps do not need permission to get a user’s photos. And as long as an app has the right to send data over the Internet, it can copy those photos to a remote server without any notice, according to developers and mobile security experts. It is not clear whether any apps that are offered for Android devices are actually doing this.

The Apple and Android problems are a reminder of how hard it can be to ensure security on complex mobile devices that can run a vast array of apps. Android apps are required to alert users when they want to retrieve other kinds of personal data â€" like emails, address book contacts or a phone’s location â€" so the lack of protection for photos came as a surprise to some experts.

“We can confirm that there is no special permission required for an app to read pictures,” said Kevin Mahaffey, chief technology officer of Lookout, a company that makes Android security software. “This is based on Lookout’s findings on all devices we’ve tested.”

In response to questions from The Times, Google acknowledged this and said it would consider changing its approach.

A Google employee who declined to be identified said that the lack of photo restrictions was a design choice related to the way early Android phones stored data. They could save photos on removable memory cards, which complicated the access issue, he said.

“As phones and tablets have evolved to rely more on built-in, nonremovable memory, we’re taking another look at this and considering adding a permission for apps to access images,” the employee said in an email. He added that the company had a policy of removing apps from its Android Market storefront that improperly used personal data.

Surprising revelation

To demonstrate the vulnerability of images on Android devices, Ralph Gootee, an Android developer and the chief technology officer of the software company Loupe, put together a test application that appears to be a simple timer. Installing the app produces a notification that it wants to have access to the Internet, but there is no notice about photos. When the app is started and the user sets the timer, the app goes into the photo library, retrieves the most recent image and posts it on a public photo-sharing site.

“Photos, if anything, are the most personal things,” Gootee said. “I’m really kind of shocked about this.”

Ashkan Soltani, a researcher specializing in privacy and security, said Google’s explanation of its approach would be “surprising to most users, since they’d likely be unaware of this arbitrary difference in the phone’s storage system.” Soltani said that to users, Google’s permissions system was “akin to buying a car that only had locks on the doors but not the trunk.”

In the Android Market, customers can report suspicious activity in apps so the company can review and potentially remove them. Google also says it uses a security system called Bouncer, which scans apps for things like hidden features that could steal personal information.

Still, the Android Market permits anybody to publish an app, so a quietly malicious one that evaded Google’s automated screening could end up on many devices. Apple reviews all apps submitted to its App Store, but apps that violate its rules do get through, as was demonstrated by a recent controversy over apps that transmitted address book data.

“Users typically presume some care is given when designing these platforms such that their personal data is handled in a consistent way,” Soltani said. “However, this seems to repeatedly be a false assumption.”

Mixed messages

Google’s explanation for the way it handles photo permissions seems to run counter to the company’s earlier statements about Android’s handling of user data. After Apple, Google and others came to an agreement last week with California’s attorney general on privacy protection within apps, Randall Sarafa, a Google spokesman, spoke about Google’s strict rules on app permissions.

“From the beginning, Android has had an industry-leading permissions system, which informs consumers what data an app can access and requires user approval before installation,” he said.

Google’s security guide for Android developers says, “A central design point of the Android security architecture is that no application, by default, has permission to perform any operations that would adversely impact other applications, the operating system, or the user.” It adds that this includes “reading or writing the user’s private data.”

Sharing data

More so than standard computers, smartphones are typically always on, connected to the Internet and close to their owners, who trust them with highly personal data. Justin Brookman, director of the Project on Consumer Privacy at the Center for Democracy and Technology, said his group had been pushing for a law addressing data collection. Such a law would demand openness from companies and give consumers a choice about the data that they shared, as well as old data that they would like to remove, he said.

“I think the whole problem with the mobile architecture is your phones are designed to expose so much information about yourself to applications,” Brookman said. “It does create so many vectors for bad actors to get information about you.”

View The Bulletin's commenting policy »

'); //-->