Sharing photos that you choose to share is one thing, but what about your private smartphone snaps? They’r safe, right? Not necessarily so — it turns out that Android apps can upload them to private servers without explicit permission at all.
The New York Times reports on the issue, which is tied into any application that has the rights to Internet access. There’s seemingly no specific tag for photo sharing; per the report, any application that has the right to go to the net has the ability to copy a user’s photos to a remote server without explicit permission or notification that this is happening, although it’s not clear if any applications on the Android marketplace are actually doing so.
The NYT report quotes Kevin Mahaffey, chief technology officer of Lookout:
“We can confirm that there is no special permission required for an app to read pictures. This is based on Lookout’s findings on all devices we’ve tested.”
When the NYT contacted Google, a spokesperson said they were aware of the issue and that Google would consider changing its approach. The issue relates to the way the first Android handsets handled and stored data, according to the unnamed spokesperson:
“We originally designed the Android photos file system similar to those of other computing platforms like Windows and Mac OS. At the time, images were stored on a SD card, making it easy for someone to remove the SD card from a phone and put it in a computer to view or transfer those images. As phones and tablets have evolved to rely more on built-in, non-removable memory, we’re taking another look at this and considering adding a permission for apps to access images. We’ve always had policies in place to remove any apps on Android Market that improperly access your data.”
The issue is similar to one that affects iOS devices, where if a user allows an application to use location data, it can access your address book and photos as well. Or in other words, everyone should be careful about photos they’re taking on their phones. [New York Times]