Both iOS and Android Stealthily Expose Users’ Photos

Do you think your photos on your iPhones or Android smartphones are secure? Think again.

As it turns out, both operating systems give access to your photos to people who know how to exploit the vulnerabilities of the platforms.

Back in February 28, the Bits blog of The New York Times ran a piece which made headlines all over the internet. According to this earlier report, a glitch within iOS lets iOS developers access photos on an iPad, iPhone or iPod Touch without the knowledge of the user of the device. This could be developers or people purporting to be developers but could have in theory developed only an app which masquerades as a legitimate app, got it approved by Apple, and now have access to the photo libraries of unsuspecting victims.

According to the publication, apps which have access to location information can pull up a user’s photo library and copy it in its entirety without further prompts to the user of the device. Why location data, you ask? The New York Times explains that when an iOS app prompts for permission to pull up location data, it asks the user whether to allow access to location information “in photos and videos”.

This is undoubtedly scary and you can understand why the story has gotten so much attention. Nonetheless, Apple will have a fix through an update on iOS soon, The Verge added to the narrative.

As a result, many were criticizing Apple for this flaw on iOS which compromises the privacy and security of users of its shiny iThings. If you remember, Apple was in the hot seat again in January when it was revealed that address books of users of iOS devices can also be compromised.

However, it turns out that Android also has potentially the same glitch which jeopardizes photos of unsuspecting users.

The development comes again from the Bits blog of The New York Times which reported at the start of this month that Android leaves photos vulnerable too. Not only that, the publication says that “Google…takes it one step further” compared to the vulnerability discovered on iOS.

According to The New York Times, “Android apps do not need permission to get a user’s photos, and as long as an app has the right to go to the Internet, it can copy those photos to a remote server without any notice, according to developers and mobile security experts.”

Whereas iOS apps need to have had permission granted to pull up location data with the caveat that they can do this too with “pictures and videos”, the Times reports that all that Android apps need to copy a user’s photo library is the permission to access the Internet.

The publication even had an Android developer from software company Loupe named Ralph Gootee develop a test app which they employed to see if this vulnerability would compromise photos.

The Times writes that Gootee “put together a test application that appears to be a simple timer. Installing the app produces a notification that it wants to be able to access the Internet, but there is no notice about photos. When the app is started and the user sets the timer, the app goes into the photo library, retrieves the most recent image and posts it on a public photo-sharing site.”

The publication has, however, reached Google and got a response saying that the internet giant is “considering” changing its approach with regards to apps having access to photos without prompting the user of the device.

What do you think about this issue? Tell us more in the comments below.

Sources: The Bits blog by The New York Times: one and two; The Verge

Images 1 & 2 from substrata studio & 55Laney69 on Flickr

[cb]Apple[/cb]

[cb]Google[/cb]

[cb]Android[/cb]