A few weeks back, Eric brought us a story about how certain nefarious apps could possibly peruse your smartphone’s camera gallery. Now it turns out the security breach is much more serious, allowing any app to see not only your photos but where they were taken, all without asking permission to do so before installation.
The major security breach was first spotted by Paul Brodeur from Leviathan Security Group. Brodeur created an app called No Permissions that can access photos and the geotags for those photos right from the gallery app on Android. “Stored completely unencrypted in a file called Chunk_0 is a list of all the locations which matched those of our home, work, family, significant other, friends and even holiday destinations,” writes the Verge’s Aaron Souppouris.
The information seems to have been generated by Picasa Web Albums – even if the user never agreed to share the information with Picasa OR Google. Even with Picasa Web Album syncing turned off, the location seems to be saved to the phone. And since Google has never required apps to declare whether or not they’re accessing your smartphone gallery, this information could be pulled without the user ever knowing what’s happening.
Here’s how the information could then be sent to a remote server without asking for a single permission. Say you’re playing a racing game. The racing game could potentially trigger your browser to start without asking you for permission to connect to the Internet. Then, when it shows how your racing stats compare to competitors, it could covertly send your photos and locations to a remote server. No permissions asked, no problem.
Google says it plans on adding permissions for apps to access images in the future. We hope they start doing so NOW. Until Google gets its act together, you can prevent these apps from communicating with external servers by making sure you have your 3G and WiFi connections disabled when playing around with potentially suspicious apps. Sure it’s a pain in the ass, but better than having your photos beamed to god knows where.
Seems like the whole concept behind "permissions" needs a serious overhaul.