Android lets apps secretly access and transmit your photos

Writing in the NYT's BITS section, Brian X. Chen and Nick Bilton describe a disturbing design-flaw in Android: apps can access and copy your private photos, without you ever having to grant them permission to do so. Google says this is a legacy of the earlier-model phones that used removable SD cards, but it remains present in current versions. To prove the vulnerability's existence, a company called Loupe made an Android app that, once installed, grabbed your most recent photo and posted it to Imgur, a public photo-sharing site. The app presented itself as a timer, and users who installed it were not prompted to grant access to their files or images. A Google spokesperson quoted in the story describes the problem, suggests that the company would be amenable to fixing it, but does not promise to do so.

Ashkan Soltani, a researcher specializing in privacy and security, said Google’s explanation of its approach would be “surprising to most users, since they’d likely be unaware of this arbitrary difference in the phone’s storage system.” Mr. Soltani said that to users, Google’s permissions system was ”akin to buying a car that only had locks on the doors but not the trunk.”

I think that this highlights a larger problem with networked cameras and sensors in general. The last decade of digital sensors -- scanners, cameras, GPSes -- has accustomed us to thinking of these devices as "air-gapped," separated from the Internet, and not capable of interacting with the rest of the world without physical human intervention.

But increasingly these things are networked -- we carry around location-sensitive, accelerometer-equipped A/V recording devices at all times (our phones). Adding network capability to these things means that design flaws, vulnerabilities and malicious code can all conspire to expose us to unprecedented privacy invasions. Unless you're in the habit of not undressing, going to the toilet, having arguments or intimate moments, and other private activities in the presence of your phone, you're at risk of all that leaking online.

It seems to me that neither the devices' designers nor their owners have gotten to grips with this yet. The default should be that our sensors don't broadcast their readings without human intervention. The idea that apps should come with take-it-or-leave-it permissions "requests" for access to your camera, mic, and other sensors is broken. It's your device and your private life. You should be able to control -- at a fine-grained level -- the extent to which apps are allowed to read, store and transmit facts about your life using your sensors.

Et Tu, Google? Android Apps Can Also Secretly Copy Photos


  1. Google’s response makes more sense when you consider that the same situation exists on Linux, Windows and Mac.  This is a problem with Malware; a security issue not a privacy issue.  So  Google needs to decide if phones are going to place new restrictions on software.  If they simply placed new restrictions, breaking your existing software, people would complain that it’s their phone and why is Google interfering with its operation.  But the example suggests a need for new security systems.  That makes it a complex issue that Google needs to grapple with before giving a definitive answer.

  2. Cory I think you’re conflating two things – it’s files in the file system that can be accessed, not the camera itself – so it’s not secretly recording you at every moment. Plus this is exactly the way most desktop OS’s work – any app can access anything on your hard drive with no intervention.

    1. If by “most desktop OSes” you mean Windows, then I’m right there with you. OSX, Linux (and by consequence, Android), and other Unices and workalikes all feature privilege escalation and shedding, as well as group permissions that can be leveraged to switch permissions on and off of filesystem resources through group membership. It’s just lazy.

      1. ..but an application being run by a user who has access to those files still has access to those files.

        1. And this is why even a exploited browser is bad for  personal computing, as the juicy files are likely sitting in the very same account as the browser is running as (and anything else will be inconvenient to say the least).

      2. Users are lazy. The way a file system works outside of iOS, you can put photos, or documents or whatever in different folders. In android the Gallery will just show them wherever they are. You would have to manage the permissions of each folder where the user may have stored  files. Cross that with the fact that user’s absolutely do not read which permissions an app requests on install and absolutely do not want to have to agree to the access every time an app requests it (e.g. for automatic file sync with dropbox and google plus) and basically you have a non-starter. Linux users have scoffed for years at windows users who are all basically logged in as Root, but it’s what users want.

        Maybe there’s a better solution. Unfortunately is sounds like a walled garden is the only thing that is going to protect the average unaware phone user.

        1. Agree.. and for users who are very concerned about it, yet not willing to put forth their own effort to protect their data, maybe it’s a good thing that locked down devices like the iPhone exist.

          (even though we’re now seeing that Apple’s acceptance wall  doesn’t stop apps from behaving maliciously anyway)

          Conversely, we’ve seen time and time again where users themselves quickly discover bad behavior in iOS and Android apps without the benefit of help from Apple or Google. 

          I guess what I’m trying to say is.. keep your ear to the ground and you should be fine.

  3. Why should photos have special restrictions beyond  any other file on a disk?

    Do we then force Android apps to request permission for every type of file it might ever access?

    How would a file manager app handle that? Or do we get rid of file manager apps altogether? Is that worth it in order to give users the ability to ignore common sense when installing software?

      1. Not sure if serious… nearly every OS allows applications to access files on a hard drive. I don’t understand why it’s an issue now.

        Your android phone stores your photos exactly the same way your digital camera does. In fact, that means that even Windows apps can “secretly access and transmit” your photos from Android.

        the sky is falling! quick, someone lock down all our devices so we can only access them through proprietary software!

    1. Agreed.  Apps list there permissions.  If an app has internet permissions and file access then user-beware.  Photos would not be my first concern.
      I’m not agreeing with google, in fact I take issue with their entire permissions system, that is defined once at app install and is not dynamically configurable.  There was a lengthy discussion on the android bug list about enabling permission modification *per app*, and google marked it as “working as designed”.  

      A lot of people would like to be able to install an app, but restrict one or more permissions. As in the above example, if you want a Timer app then it should not need internet or file access permissions.  Simply provide the user the ability to disable these features.  Google deemed this unacceptable and too confusing (ala Vista) for consumers.

      Solution, root the phone and install a firewall.  Problem solved.  Apps can collect all the info they want but if they can’t transmit then there is no leak of personal information.

      1. I think the 3rd party firewall is a good solution. Anyone intelligent enough to set that up probably understands that software won’t function properly if you don’t give it the access it was intended to have.

        I think it would be a disaster if Google or Apple allowed granular acceptance of permissions by default, though. For one, it would cause waves of poor reviews when people’s apps start misbehaving. Second, it would destroy the monetization efforts of thousands of developers.

        Everyone loves free apps, and hates ads.. it can only go one way. The other option is to have two app stores that have a significantly smaller selection of apps, most of which won’t be free.

      2. Would also solve the issue right now where 3.2 and later mount SD cards using a different group policy. This means that “legacy” apps can read the SD but not write to it. Being able to grant or remove permissions post-install would make it a simple “add permission X to your file manager of choice” response when a confused user finds himself unable to save stuff to his new card.

    2. Actually I was under the impression that every app on android got its own user id, so it should be possible for the linux kernel to restrict access to any file not owned by that user.

      1.  I guess it could work, as one can push multiple pieces of data via the share/intent system as far as i can tell. I guess it is a case of programmers being lazy if one allow them to be, and defaulting back to old and known ways of doing things from desktop computing.

    3.  If an app wants to access files it did not create, or that are in a folder it is not designed to manage (like dropbox), then it shouldn’t be automatically able to do that.

      If I take a photo of myself, I should not expect it to end up online unless I choose to put it there.

      1. The second part of your statement, I agree with. You should expect privacy.

        But this is an issue of developers doing shitty things with your data, not a security failing of the OS.

        Locking things down in reaction to these sensationalist headlines is akin to the government trying to stop all crime by making law after law against anything that’s ever used in the attempt of a crime.

        1.  I’m not sure it is akin to that. It can be, if done badly, but need not be. For example, if a developer accidentally adds something like “delete *.*” that command shouldn’t work without asking the user. And a patch for “Dragon, Fly!” shouldn’t be allowed to modify the folder that contains Fruit Ninja. It should be able to modify anything it wants in it’s own program data, though, without asking.

          Imagine if WoW decided to scan your computer for porn and post it online with the title “This was on FasterThanTheWorld’s computer.” An outgoing firewall could stop that, no? Certainly Windows asks me when a program tries to modify another program.

          I’m not a developer, so the things I’m saying may not actually be feasible, but it seems like it makes sense.

          1. I get what you’re saying, but porn on your computer isn’t a program, it’s just a bunch of files. Applications can and always have been able to touch whatever files they want. When you run a program, it is you, so it has access to whatever you do.

            A good example of this is EA’s game distribution platform Origin, which is known to scan your hard drive and send information about the files to EA. They do disclose that they do it, but you can’t opt out if you choose to use Origin.

            On mobile platforms(I’ll focus on android because I have first hand experience with the development side of it), it is a little different. Apps are sandboxed, so they generally can’t affect other programs , and certainly not the inner workings of the system(which are more or less owned by root).As far as files created by applications, it’s up to the developer. Files can be created as private app data, in which case the user and other apps have no access to them. This is great for things like downloadable content,.. game files, stuff that other apps really wouldn’t need access to…or files can be created as normal files. This is the case with pictures, and really is what makes sense. Android doesn’t share iOS’s rules about applications that “duplicate built in functionality”, so in order for applications like file managers or alternate galleries to work, pictures need to be stored as public files. The other option would be for the camera app to store them as private data(and the camera/gallery apps would need to be combined), but then we’re getting into Apple’s realm of proprietary software to get them onto your computer since the user can’t access those files either. We have the iPhone for people who want that. 

            Personally, I enjoy being able to manage my files like a normal computer, and more importantly, being able to plug my phone into the computer and drag out what I want in an instant. For that matter, .. Google+’s automatic picture upload(or any similiar service like Photobucket, dropbox, etc) wouldn’t function either.

            And yes,.. if you download an application that has read/write access to your sd card,.. it would be wise to read the user reviews to make sure it isn’t wiping out people’s files.

  4. You should be able to control — at a fine-grained level — the extent to which apps are allowed to read, store and transmit facts about your life using your sensors.

    They tried something like that in Windows Visa. It didn’t go over too well.

  5. so what apps are know to access your photos and other files in the manner described? what examples are there of what those apps then do with the data? how can we figure out if we are running or have run those apps, and what might have been done with our data? is there a way to prevent this in the future by avoiding certain apps, until Google creates the ability to make settings changes to our phone OS?

    normally i lean on the “who cares about privacy” side…but not in this case. i agree this is a real security/premissions issue and would like to know ways to combat it.

  6. You take photographs of yourself ‘undressing, going to the toilet, having arguments or intimate moments, and other private activities’ using your phone?  Why?  If you’re that narcissistic, you should be posting everything publicly on Twitter anyway.  

    1. If the phone is in the room with you, it’s not outside the realm of possibility for it to begin recording and transmitting without being commanded to do so by you.  That’s the issue.  It’s a phone, it has a video camera and sound recorder and a GPS and both WiFi and 3G/4G capability.  Only software controls where and when and how those features get activated, and every day we’re finding more evidence that we, as users, do not have 100% reliably complete control over those features as a default.

      Considering how most people don’t have particularly secure email passwords, I am not comforted by the fact that if I manage to learn someone’s Gmail password, not only can I rifle through all their email and swipe their identity in a multitude of ways, but I can remotely install apps like Where’s My Droid into their Android (without ever once actually seeing or touching their phone), which will tell me where they are at any moment, when they’ve picked up the phone, etc., without letting them know that I’m doing so.  It was one thing to be carrying around one’s own personal self-surveillance kit when you just had to keep it from falling into the wrong hands to keep it secure.  Now you have no reliable way of preventing your kids, an estranged ex, Johnny Law, Google, your service provider, and pretty much any interested party from tracking your movements, eavesdropping on your conversations, and checking out your naughty bits everytime you’re even in the same room with your Droid.  Again, the hardware’s all there.  All one needs is the right app.

      I tellya, I’m really starting to miss Instamatics, magnetic compasses, folding maps, paper notepads, pocket calculators, Super 8 cameras, and the Yellow Pages.  Hell, even that skanky, germy, graffiti-covered phone booth down the block is starting to look pretty good… or it would if the handset wasn’t ripped out back in 2003.

      1. The issue here is that Android is giving apps unrestricted access to photos, not the realm of the possible other flaws (given enough time and resources, any lock can be picked).  With every security flaw discovered in [insert here], Corey breathlessly manages to turn that into an end of the world sermon about how all our rights are going to be ruthlessly crushed by a totalitarian corporatacracy.  Really?  Tomorrow they’ll find another hole, and another, and another, and life will go on.  We’ll manage, and somehow we won’t be seeing 10 million pictures of people taking a shit floating around.  If you’re looking for 100% control, reliability, and security, simply leave your phone home, or don’t use one at all.  

        1. If you’re looking for 100% control, reliability, and security, simply leave your phone home, or don’t use one at all.  

          No argument here.  That’s the course I’ll probably end up taking myself.  The thing is, the convenience of having my email always accessible to me, plus the texting, even the camera… they’re all so damned useful to me, even in my professional capacity, that going back to the way I did things in the Dark Ages of the 20th century sounds hopelessly retrograde, paranoid, and Luddite.  But that’s the way they get ya.  The damned thing is a tracking collar just waiting to be activated, and filled with shiny, entertaining, useful features to keep us from chewing it off.  Otherwise, all the tracking and surveillance features that rile the dander of paranoid alarmists like myself, the features that are simply there “to improve the service and usability for our users,” would always be completely opt-in by default, instead of generally the opposite.

          Now there are more smartphones than dumb phones in use.  Will a point come when not having your PCS (remember when they were called that?) on your person at all times becomes cause for questioning?  Probably not.  But I’m afraid we can’t say “definitely not.”

  7. The privacy issue is serious but unlikely to create a reaction from companies unconcerned with privacy. 

    Surely the easiest way to deal with this is to sue the shit out of your provider/manufacturer for allowing someone to eat into your data allowance by surreptitiously uploading photos. Mobile bandwidth is much more of a commodity than a home connection as it is much more expensive. It’s much easier to sue someone for robbing you than for invading your space.

     There is very little control over permissions under Android and even less under Apple. Privacy is all well and good but a claim over cash is much more likely to garner the requisite attention. 

Comments are closed.