Android apps, it turns out, can not only access, but also publicly share, your photos without your permission.
The New York Times followed up on its story earlier this week that apps on Apple devices can access users’ photos and other data if they once agree that an app can access location data.
Apple is reported to be working on a fix, though it has not commented publicly and there’s no word on when this might happen. When it first reported this story, The Times asked Google for comment, but Google had none at the time of publication.
Android apps are required to alert users when they want to retrieve data such as e-mail, address book contacts or a phone’s location, but not so for photos, Google has confirmed. The article describes this as a design choice by Google. Originally, Android smartphones put photos on a removable card and swapping out the cards made the issue of permissions difficult. They no longer use removable cards. The Times quotes a Google spokesman’s email:
We originally designed the Android photos file system similar to those of other computing platforms like Windows and Mac OS. At the time, images were stored on a SD card, making it easy for someone to remove the SD card from a phone and put it in a computer to view or transfer those images. As phones and tablets have evolved to rely more on built-in, nonremovable memory, we’re taking another look at this and considering adding a permission for apps to access images. We’ve always had policies in place to remove any apps on Android Market that improperly access your data.
The Times hired a developer who created an app on a timer that sought permission to access the Internet, with no mention of photos. But once the timer is set, it goes into the photo library and posts the most recent photo to a public sharing site.
It’s not clear that any apps actually do this, but it’s technically possible. Google’s app security policy precludes, among other things, “reading or writing the user’s private data.” In its Android Market, Google uses a security system called “Bouncer,” a simulation to detect suspicious activity, and also allows users to report potential issues for review.
Business Insider seems alarmed at readers’ apparent lack of concern about this issue, though Gen Y, a large segment in the smartphone market, reportedly is more comfortable with sharing than their older counterparts. And Google was, after all, among the companies that last week agreed to stiffer app privacy standards imposed by the state of California.
But as 9to5Google put it, quoting a company spokesman:
If you ask permission every time an app needs to do something that could potentially violate privacy, it gets pretty messy and it ends up “a future where it takes 10 minutes to open your Facebook app.”