Appolicious powers Verizon Educational Tools

Android photo-stealing loophole discovered amidst massive worm attack threats

by Kristen Nicole

All those photos on your Android device may be susceptible to app developers, in one of the biggest vulnerabilities to be discovered on Android OS. Shortly after it was reported that Apple iOS devices have access to a person’s entire photo library as long as that person allows the app to tap their location data, a similar weak spot was uncovered in Android’s mobile OS. The difference is, Android apps don’t need permission at all to gain access to a user’s photos, as long as the app has the right to access the Internet, it can copy device photos to a remote server without notice.

This latest loophole was confirmed by developers and mobile security experts, bringing to light a most important concern: why is this allowed in the first place? The debacle reminds us of the range of apps we use on our device, reiterating the deficiencies of mobile security compared to our better regulated web experience. On the bright side, Google’s already looking into it, with the possibility of changing its approach to photo access for developers.

A Google spokesman said that the lack of restrictions on photo access was a design choice, made in the early days of Android when removable memory cards were often used for images. Minimizing the complications of memory card access for developers, Android made a few decisions that have backfired in an era of rising awareness around Android privacy and security.

“We originally designed the Android photos file system similar to those of other computing platforms like Windows and Mac OS,” the spokesman tells The New York Times. “At the time, images were stored on a SD card, making it easy for someone to remove the SD card from a phone and put it in a computer to view or transfer those images. As phones and tablets have evolved to rely more on built-in, non-removable memory, we’re taking another look at this and considering adding a permission for apps to access images. We’ve always had policies in place to remove any apps on Android Market that improperly access your data.”

Mobile espionage

There’s no telling who’s potentially accessed your device photos, or what they’ve done with your personal content. But we do know who’s likely to take advantage of known vulnerabilities on Android: cybercriminals. Data-stealing malware is on the rise, continuing an exponential leap that really took off in 2011: the year of Android. Kapersky Lab anticipates even more malware dangers this year, including the first ever massive worm attack, designed to spread through networks. In fact, Kapersky Lab expects a rise in the number of attacks specifically looking for loopholes in mobile operating systems, with the goal of infecting them instead of merely gaining root access on a given device. Also beware of mobile espionage, as well as an increase in malicious apps in the Android Market.

Google is well aware of Android’s weaknesses, in matters of both privacy and security. The Android maker has recently made some changes to appease consumers, adding additional security detectors for apps being submitted to the market, as well as agreeing to enforce privacy policies for every app in the Market.