Android Devices Can Also Access User Photos Using Same iOS Exploit


02.03.2012

Android Devices Can Also Access User Photos Using Same iOS Exploit

A few days ago, the users of Apple iOS devices were stunned by the latest news about the security of their handsets. It looks like the photo library of the people who use iPhones can be accessed by the developers that design apps for iOS if the users let the application use location data.

This fact made the Android phones users to brag about how their devices have better security than the iOS, but yesterday something came up. It turns out that Google (which is the developer of the Android OS) is even worse than Apple. Several developers and mobile security experts stated that the Android apps too, can copy the photo of any user. Further, the application don’t have to get the user’s approval to get his photos. All the applications need is to have the right to use the internet. After the photos are copied they are transferred to a remote server, the user being clueless. Nothing is certain yet, and we don’t know for sure that the applications can actually do that, but the rumors only are very disturbing because if it’s true, the high security level that the device developers claim their products have will become just a myth.

Anyway, the problems that both Android and Apple have are definitely a reminder that you can’t really ensure an effective security system on mobile devices that have become so complex and which include a very wide range of applications. The experts say that the fact that photos can be copied without users being aware about it is very surprising because when the applications want to redeem sensitive information such as contacts, address book, phone location or e-mail, the apps are required to alert the user.

Kevin Mahaffey, chief technology officer of Lookout (a security software developer for Android OS) said that their company have tested a lot of devices they confirm that an app can read images without the need of any authorization.

When asked about the matter, Google admitted there is a problem and thy would try to fix it.

One of Google’s representative explained that the shortage of limitations when it comes to photo access is not intended. He specified that it was a design choice associated with the method of data storage of Android devices meaning that when Android smartphones first appeared on the market could store photos in a removable memory card, thus photo access was more complicated to gain. For instance, a use could deny an application to use photos in a certain day even if he grated it permission to retrieve photos from one card.

The Android photos file system was originally designed similar to the two big computing platforms meaning Mac OS and Windows. This way, it was a lot easier for a user to transfer his files to a machine because back in the day the photos mate with the mobile phones were stored on a SD card which could be easily removed and put it in a computer in order to transfer the files or just view them. The same Google spokesman  said that the company is considering adding a permission for application to access photos because the phones and tablets have evolved a and they now mostly use a built-in memory which can’t be removed. He also stated that Google have always had policies regarding application on Android Market that access data in an improper way and they usually remove that kind of apps.

Ralph Gootee, an Android developer and chief technology officer of a software company called Loupe wanted to prove the lack of security related to images on Android devices so, he made a test with an application that seems to be a simple timer. When the uses installs the application it asks for permission to access the internet, with no notice about images whatsoever. When the application is launched and the sues sets the timer, the application makes way into the library where the photos are kept. Then it retrieves the latest photo and it posts it on a photo-sharing web site, thus making it public.

Ashkan Soltani, a privacy and security expert, said that the explanation of Google about its approach would be surprising to most users considering that would probably be clueless of the arbitrary contrast in the storage system of the Android smartphones. He also stated that, for the users, the permission system of the company was ”akin to buying a car that only had locks on the doors but not the trunk.”

When accessing the Android Market, the official application store of Google, the users have the possibility to any application or activity that looks suspicious in order to be reviewed by the company itself. Moreover, Google even has a security system for that certain matter. It’s caller Bouncer and has the power to simulate the activity of the applications in a search for things such as concealed functions that could steal sensitive data from users. However, considering that absolutely anybody is allowed to publish an application on Android Market there is no doubt that a malicious app could dodge Google’s security system and could end up on multiple phones.

Mr. Soltani said that the users assume that the platforms are well designed and there isn’t any risk concerning their personal information. he also specified that lately their assumption appears to be false.

The explanation for the way they are handling photo permissions appears to be in a big contradiction to the earlier statement of the company regarding handling of user data in general. Google as well other companies including Apple came to an agreement the previous week with the attorney of California. The agreement was on privacy protection of within applications. A Google representative named Randall Sarafa then said that Google’s application permissions are very strict explaining that Android has the best permission system on the market and it notice clients about the information a certain app can access and it requires permission before the user installs it.

The security guide for Android developers stated that there is no way an application can access a user’s personal data such as photos without his approval, neither it can perform operations that would affect other apps, the OS, or the user.

Tags: android, application, photos, security, google, users, access, user, system, about, devices, could, photo, data, company, their, permission, applications, apps, they, market, because, apple, developers, phones, stated, would, also, very, there