Just two days after The New York Times discovered a loophole that could allow unauthorized copying of iOS photos, they now report that the same issue exists on Android, and doesn't even require special permission. As long as an Android app has permission to access the Internet, it can copy any photos to a remote server without notifying or asking the user at all.
Currently in iOS, the app must first obtain permission to use the phone's location data, after which the app can then access the walled-off photo directory without explicitly notifying the user further. In Android, photos are stored in a standard directory in the main file system, meaning they are accessible by pretty much any app by default. While this is not technically a security hole as it is an intended consequence of the operating system's design, the drama surrounding the iOS security issue highlights why this could potentially be an issue to users.
And it's a potential issue that Google is not ignoring. A Google spokesman wrote to The New York Times, explaining that the reason Android phones store photos in this way is because the first Android smartphones were designed with removable memory cards in mind. Some might argue that the openness of Android's file system is a deliberate design choice and therefore not a privacy issue, but the quote from Google's spokesman shows that the company might be reconsidering that choice.
"We originally designed the Android photos file system similar to those of other computing platforms like Windows and Mac OS," the spokesman said in an email message. "At the time, images were stored on a SD card, making it easy for someone to remove the SD card from a phone and put it in a computer to view or transfer those images. As phones and tablets have evolved to rely more on built-in, nonremovable memory, we’re taking another look at this and considering adding a permission for apps to access images. We’ve always had policies in place to remove any apps on Android Market that improperly access your data."
The New York Times provided an example of the flaw with a test application that appears innocuous but actually siphons photographs to a remote server, as they did with iOS earlier this week. The security issue in iOS is reportedly due to be fixed in the future.