People were rightfully outraged when news broke last month that some apps for the iPhone were covertly storing the entire contents of contact lists from their phones. It quickly caught the attention of the United States government, which prompted Apple to address the issue and tell app developers that they must acquire "explicit user approval" before the apps can access the contact lists.
Well, guess what - that's hardly the worst of it because apparently apps are also helping themselves to the photos stored on iPhones. Mindful not to omit anybody from this round of privacy non-protection, though, it turns out Android phones also have apps that include a similar photo-accessibility flaw.
It so happens that when iPhone'd people were granting permission for apps to use their current location, some apps conveniently inferred those location details to also include photos. The New York Times ran their own test of the privacy issue by enlisting a developer to create an app that requests permission to use the phone's current location and thereby also gain access to the phone's pictures.
When the test app, PhotoSpy, was opened, it asked for access to location data. Once this was granted, it began siphoning photos and their location data to a remote server. (The app was not submitted to the App Store.)
“It’s very strange, because Apple is asking for location permission, but really what it is doing is accessing your entire photo library,” said John Casasanta, owner of the successful iPhone app development studio Tap Tap Tap, which created the Camera+ app. “The message the user is being presented with is very, very unclear.”
Apple didn't respond to a comment request from the Times, but David Jacobs, a fellow at the Electronic Privacy Information Center, chastised Apple for its failure to yet again ensure iPhone users' privacy. "Apple has a tremendous responsibility as the gatekeeper to the App Store and the apps people put on their phone to police the apps," he said.
Jacobs added, "It is pretty obvious that they aren’t doing a good enough job of that.”
Once the Times discovered that Android was also guilty of the photo privacy flaw, they conducted a similar test with an Android developer to see if an app could swipe photos from a phone without the awareness of users. Surprise, surprise - the Times' test worked and the decoy app gained access to the phone's pictures. However, this security breach was more devious because, unlike Apple apps, the Android app didn't require permission to use the geo-location service in order to access the photos. Instead, as long as the app "has the right to go to the Internet, it can copy those photos to a remote server without any notice."
A Google spokesperson responded to a request from the Times' to explain the security deficiency. Google, as is their wont, responded in typical cagey fashion.
In response to questions, Google acknowledged this and said it would consider changing its approach.
A Google spokesman said that the lack of restrictions on photo access was a design choice related to the way early Android phones stored data. The first Android smartphones could put photos on a removable memory card, which complicated the issue of photo access, he said. For example, a user might grant an app permission to retrieve photos from one card but not want the app to use photos on a card that was in place on another day.
“We originally designed the Android photos file system similar to those of other computing platforms like Windows and Mac OS,” the spokesman said in an e-mail message. “At the time, images were stored on a SD card, making it easy for someone to remove the SD card from a phone and put it in a computer to view or transfer those images. As phones and tablets have evolved to rely more on built-in, nonremovable memory, we’re taking another look at this and considering adding a permission for apps to access images. We’ve always had policies in place to remove any apps on Android Market that improperly access your data.”
Google is "considering adding a permission for apps to access images"? Wow, Google, don't go breaking your back over making sure that users of your smartphones stay informed over how their information is accessed by the apps they use.
But thanks for keeping us in mind. Really, you're too generous.