March 02, 2012, 11:24 AM — Apple came under fire Wednesday after the New York Times reported a flaw in the iPhone's iOS security that allows any app given the right to access data on the phone was also able to read and send to remote servers the user's entire address book and photo collection.
Today the Times follows up with a story showing Google's Android has an even bigger security hole in its process for managing pictures: Any app that has permission to access the internet – most of them do, if only for updates or patches to their own code – also has permission to access and, if ordered to, send the user's photo collection to a remote server of its (or a hacker's) own choosing.
Android security software maker Lookout confirmed the results "on all devices we've tested," according to quotes in the NYT story from Lookout CTO Kevin Mahaffey.
A Google spokesperson told the NYT that Android's photo-storage rules were originally designed with the assumption users would store photos on removable SD cards. Android photo permissions are structured to make it easier for users to switch SD cards between phones and laptops or other devices without producing errors stemming from the conflict of Android and Windows security.
"As phones and tablets have evolved to rely more on built-in, nonremovable memory, we’re taking another look at this and considering adding a permission for apps to access images. We’ve always had policies in place to remove any apps on Android Market that improperly access your data," the Google spokesperson's email to the NYT read.
That's a relief, or would be if I weren't an Android user who occasionally downloads new apps from the Android Market. Removing "offending" apps that obey access rules laid down by Google in the first place makes complete sense.
Certainly it's a more elegant solution than rewriting Android's security structure to reverse its polarity – switching it from a firewall that's mostly holes to one that's mostly firewall.