http://bits.blogs.nytimes.com/2012/03/01/android-photos/
March 1, 2012
Et Tu, Google? Android Apps Can Also Secretly Copy Photos
By BRIAN X. CHEN and NICK BILTON
It's not just Apple. Photos are vulnerable on Android phones, too.
As Bits reported this week, developers who make applications for Apple iOS devices have access to a person's entire photo library as long as that person allows the app to use location data.
It turns out that Google, maker of the Android mobile operating system, takes it one step further. Android apps do not need permission to get a user's photos, and as long as an app has the right to go to the Internet, it can copy those photos to a remote server without any notice, according to developers and mobile security experts. It is not clear whether any apps that are available for Android devices are actually doing this.
The Apple and Android problems are a reminder of how hard it can be to ensure security on complex mobile devices that can run a vast array of apps. Android apps are required to alert users when they want to retrieve other kinds of personal data -- like e-mail, address book contacts or a phone's location -- so the lack of protection for photos came as a surprise to some experts.
"We can confirm that there is no special permission required for an app to read pictures," said Kevin Mahaffey, chief technology officer of Lookout, a company that makes Android security software. "This is based on Lookout's findings on all devices we've tested."
In response to questions, Google acknowledged this and said it would consider changing its approach.
A Google spokesman said that the lack of restrictions on photo access was a design choice related to the way early Android phones stored data. The first Android smartphones could put photos on a removable memory card, which complicated the issue of photo access, he said. For example, a user might grant an app permission to retrieve photos from one card but not want the app to use photos on a card that was in place on another day.
"We originally designed the Android photos file system similar to those of other computing platforms like Windows and Mac OS," the spokesman said in an e-mail message. "At the time, images were stored on a SD card, making it easy for someone to remove the SD card from a phone and put it in a computer to view or transfer those images. As phones and tablets have evolved to rely more on built-in, nonremovable memory, we're taking another look at this and considering adding a permission for apps to access images. We've always had policies in place to remove any apps on Android Market that improperly access your data."
To demonstrate how vulnerable images are on Android devices, Ralph Gootee, an Android developer and chief technology officer of the software company Loupe, put together a test application that appears to be a simple timer. Installing the app produces a notification that it wants to be able to access the Internet, but there is no notice about photos. When the app is started and the user sets the timer, the app goes into the photo library, retrieves the most recent image and posts it on a public photo-sharing site.
"Photos if anything are the most personal things," Mr. Gootee said. "I'm really kind of shocked about this."
Ashkan Soltani, a researcher specializing in privacy and security, said Google's explanation of its approach would be "surprising to most users, since they'd likely be unaware of this arbitrary difference in the phone's storage system." Mr. Soltani said that to users, Google's permissions system was "akin to buying a car that only had locks on the doors but not the trunk."
In the Android Market, Google's official Android app store, customers can report suspicious activity in apps so the company can review and potentially remove them. Google also says it has a security system called Bouncer, which puts apps through a simulation to look for things like hidden features that could steal a user's personal information. Still, the Android Market allows anybody to publish an app, so a malicious one that evaded Google's automated screening could end up on many devices.
"Users typically presume some care is given when designing these platforms such that their personal data is handled in a consistent way," Mr. Soltani said. "However, this seems to repeatedly be a false assumption."
Google's explanation for the way it handles photo permissions seems to run counter to the company's earlier statements about Android's handling of user data in general. After Apple, Google and others came to an agreement last week with California's attorney general on privacy protection within apps, Randall Sarafa, a Google spokesman, talked about Google's strict rules on app permissions. "From the beginning, Android has had an industry-leading permissions system which informs consumers what data an app can access and requires user approval before installation," Mr. Sarafa said.
Google's security guide for Android developers says: "A central design point of the Android security architecture is that no application, by default, has permission to perform any operations that would adversely impact other applications, the operating system, or the user." It adds that this includes "reading or writing the user's private data."