Android apps can access and post personal photos

Apps on Android handsets can send user photos to a remote server without the owner's permission.

In a security flaw that mirrors the Apple iPhone vulnerability exposed yesterday, a New York Times investigation found that any Android app with permission to access the internet could post images to a remote server.

According to app developers and security researchers that put the theory through its paces, it was easy to create an app asked for permission to use the internet, but not to access photos, but then have the app post the latest picture to a public photo gallery.

“We can confirm that there is no special permission required for an app to read pictures,” said Kevin Mahaffey, chief technology officer of Lookout, a company that makes Android security software.

Although Google insists app developers ask for permission to share other information – such as email addresses and location – there was no such edict for photos.

Legacy storage

Google acknowledged the weakness, the Times said, and would consider changing its approach.

A Google spokesman told the paper that the lack of restrictions on photo access was a design choice made to accommodate the way early Android phones stored data, with photos often saved onto a removable disk.

Security researcher Ashkan Soltani said Google’s explanation of its approach would be “surprising to most users, since they’d likely be unaware of this arbitrary difference in the phone’s storage system”

Related articles

• Motorola, Samsung, HTC leaving some Android handsets open to permissions-based attacks (tech-gadget.co.in)
• 10 Billion Promo in the Android Market Offers Premium Apps and Games For $.10 Each (tech-gadget.co.in)
• Rovio explains new permissions in Angry Birds Seasons update (tech-gadget.co.in)
• HTC Confirms Some Of Its Android Handsets Are Leaking WiFi Passwords (tech-gadget.co.in)
• App Development By the Numbers - Android Sputters While iOS Surges (tech-gadget.co.in)

Posted in: Android,Apps