The New York Times reported on Tuesday that due to a permission loophole, third party app developers could access an iPhone’s photo gallery app. The paper is now reporting that Google’s Android operating system suffers from a similar security hole. Unlike the iPhone however, which requires an app to have permission to access location data, an Android device that has permission to access the Internet can copy photos to a remote server without notice. “We can confirm that there is no special permission required for an app to read pictures,” said Kevin Mahaffey, chief technology officer of Lookout Security. Read on for more.
A Google spokesman told The Times that the lack of restrictions on photo access was a design choice from the way early Android phones stored data. The first Android smartphones had the ability to store photos on a removable memory card, which complicated the issue of photo access.
“We originally designed the Android photos file system similar to those of other computing platforms like Windows and Mac OS,” the spokesman said. “At the time, images were stored on a SD card, making it easy for someone to remove the SD card from a phone and put it in a computer to view or transfer those images. As phones and tablets have evolved to rely more on built-in, non-removable memory, we’re taking another look at this and considering adding a permission for apps to access images.”
Ralph Gootee, an Android developer and CTO of Loupe, created a test application in the form of a simple timer. After installing the app, a pop-up notification requested access to the Internet. When a user sets the timer, however, the app is able to access the photo library and retrieve the most recent images without the user granting the app permission to do so. “Photos if anything are the most personal things,” Mr. Gootee said. “I’m really kind of shocked about this.”