Android users have been warned that applications could be sending back photos stored on their phone to remote servers without their permission in yet another major security worry for the popular operating system, according to a New York Times report.
The issue revolves around a permissions loophole that grants third-party app developers the ability to copy users photos to a remote server without notice, as long as a user given the app consent to access the internet.
Google has admitted the loophole exists and may consider changing its approach, according to the report.
“We originally designed the Android photos file system similar to those of other computing platforms like Windows and Mac OS,” a Google spokesman told the NYTimes via e-mail. “At the time, images were stored on a SD card, making it easy for someone to remove the SD card from a phone and put it in a computer to view or transfer those images. As phones and tablets have evolved to rely more on built-in, nonremovable memory, we’re taking another look at this and considering adding a permission for apps to access images. We’ve always had policies in place to remove any apps on Android Market that improperly access your data.”
Security analysts expressed shock at the revelation, with F-Secure analyst Sean Sullivan urging Google to address the issue as a top priority, particularly due to the risk of malicious apps emanating from the Far East.
"Google should consider changing it sooner than later. It's very surprising there isn't already an app that does this in a third-party Chinese market. Of all the places in the world that innovate spy-tools/backdoors/webcam trojans - it's China," he said.
Citing a similar report highlighting the same problem with Apple's iOS, analysts have since suggested that the loopholes demonstrate a problem with mobile security across the board.
"The lack of special permissions required to access personal user data such as photos on a mobile platform is truly alarming, particularly when abuse of that information is possible simply through the request of another apparently unrelated permission, such as internet access," commented Trend Micro security expert Rik Ferguson. "The system of app permissions should be designed with a higher degree of security than is currently the case, this is not only true of Android but other major mobile operating systems as well."