Want CNET to notify you of price drops and the latest stories?

Photo theft security loophole found in Android too

A new security issue has been found with Google's Android OS that lets apps access user photos without asking.

Josh Lowensohn Former Senior Writer
Josh Lowensohn joined CNET in 2006 and now covers Apple. Before that, Josh wrote about everything from new Web start-ups, to remote-controlled robots that watch your house. Prior to joining CNET, Josh covered breaking video game news, as well as reviewing game software. His current console favorite is the Xbox 360.
Josh Lowensohn
2 min read
Android camera
Josh Lowensohn/CNET

A security loophole on Apple's iOS platform that gives applications access to a user's photo library without explicit permission has been found to exist on Google's Android platform as well.

The New York Times' Bits blog today notes that Android applications are able to read pictures off a phone as long as that user has given the app permission to use the device's Internet connection.

According to Google, the mobile OS has long been set up to allow this kind of access due to the way it stores data on external memory cards that expand on the phone or tablet's built-in storage. But it may not stay that way.

"We originally designed the Android photos file system similar to those of other computing platforms like Windows and Mac OS," a Google spokesperson said in a statement. "At the time, images were stored on a SD card, making it easy for someone to remove the SD card from a phone and put it in a computer to view or transfer those images."

"As phones and tablets have evolved to rely more on built-in, non-removable memory, we're taking another look at this and considering adding a permission for apps to access images," the company added. "We've always had policies in place to remove any apps on Android Market that improperly access your data."

For the past few months, Google has been running an anti-malware scanning service code-named Bouncer. It scans apps for known malware, spyware, and Trojans, while keeping an eye out for any other suspicious behaviors. Apps that have malicious code or behavior detected are then flagged for a review by Google's staff, who can remove it from the Android Market. That's on top of Google's feedback program that lets users manually flag and report applications they believe to be suspect.

The loophole follows one profiled earlier this week by Bits, and before that by 9to5Mac, affecting Apple's iOS platform. Similar to this latest one, it lets developers gain access to an iOS user's entire photo library through the same user dialog window that requests access to a user's current location. That security issue is reportedly due to be fixed in a future release of the software, though Apple has stayed mum about if and when that will happen.