(picture from http://speakforchange.org)
**sigh** It just doesn't stop does it? A lot of users might not care about such reports and will probably accuse me of fear mongering. Personally, I think everyone has the right to know what their phone is/isn't doing, especially with their personal information, and as much as I love Android and the big G, reports like this are never really welcome. The news might not come as a surprise to many, especially with recent reports on how Android apps can copy your entire contact list and upload it to servers without permission, but it has now been confirmed by multiple sources (including Google) that Android apps can copy photos from your devices photo album without permission of the user. It seems that as long as the app (regardless of what kind of app it has) has the right to connect to the internet (lets face it..LOTS of apps do), that it can copy photos to a remote server without even telling you. Umm...sorry what???
Now before I go further, it should be noted that it hasn't been confirmed that any apps are actually doing this, so it could be that none of them are. That being said, I HIGHLY doubt this functionality is there for no reason, and it wouldn't surprise me if in the coming weeks that reports on which apps actually perform this action are made publically known.
In IOS, devices can access a photo library as long as the user allows the app to use location data. Android however takes this a bit further, and only requires internet access to copy your photos. Keven Mahaffey (CTO of Lookout security) reports on the findings:
“We can confirm that there is no special permission required for an app to read pictures. “This is based on Lookout’s findings on all devices we’ve tested.”
When Google was asked about this, it was confirmed that this was indeed the truth, and said they would consider changing their approach on what happens with your photos:
“We originally designed the Android photos file system similar to those of other computing platforms like Windows and Mac OS,” the spokesman said in an e-mail message. “At the time, images were stored on a SD card, making it easy for someone to remove the SD card from a phone and put it in a computer to view or transfer those images. As phones and tablets have evolved to rely more on built-in, nonremovable memory, we’re taking another look at this and considering adding a permission for apps to access images. We’ve always had policies in place to remove any apps on Android Market that improperly access your data.”
Here's where it gets a bit scary guys. To show just how vulnerable your images are on Android, Ralph Gootee (CTO of Loupe and Android developer) constructed a test application. The app itself is just a simple timer, and when you install it, the app produces a notification that it wants to access the internet. It does NOT however ask for permission to use photos (it's a stopwatch app, why would it need them???). As soon as the timer app is started and the user activates it, the app goes into the photo library, grabs the most recent photo in the gallary, and posts it on a public photo sharing site.
After this demonstration of how a stopwatch app grabs and uploads photos from the tested device, Mr Gootee stated that photos if anything are the most personal things. “I’m really kind of shocked about this“.
I for one totally agree with Mr Gootee, and will be the first to say that for me personally, this is completely unacceptable BS. You mean to tell me if I download a fart app that has permission to use the internet for whatever reason, that it can grab photos from my personal photo gallery, the pics of my family, vacation, girlfriend, and any other personal pictures I have in it, and automatically copy them to a server without my permission?? Really Google?
Google, Apple, Mircrosoft, and Blackberry signed a new privacy agreement just last week in California, and courts vowed to severely punish them in court if that agreement was violated. THIS is a CLEAR violation of user rights, plain and simple. Apps grabbing your contacts is bad enough. Apps grabbing my photos (especially considering if its an app that has absolutely nothing to do with photo sharing, like a stopwatch) and uploading them to a server is JUST PLAIN WRONG.
Sort it out Google....and do it QUICKLY.