Gallery is for spiez

Let's file this under "anything for a story about Android". The New York Times has decided that Android is also "vulnerable" to apps being able to see your pictures, just like it was designed to do. It all stems from some press recently where iOS had a loophole that allowed apps without permissions to access photos stored on a user's mobile device. There is a big difference here though, and it's in the design. 

iOS was designed so that nothing but the gallery on your device, or iTunes had access to your pictures. Developers that had to access GPS data could get in the Camera Roll, because a lot of pictures have and use GPS data. Rene does a really good job at explaining this over at iMore, and you should read it. Personally, I didn't think it was a severe security hole on iOS, but it was a loophole that Apple decided to fix. That's good -- if you're going to have a permissions policy on a certain part of the file system, you should enforce it. Even a silly permissions policy.

Android, on the other hand, was not designed this way. It's like a Windows computer. Or a Mac computer. Or a Linux computer. Or a digital camera. Even the computer used to write the story at the NYT allows complete access to photos -- they all do. It's standard file input/output, and just because Apple decided not to use it makes no difference. It doesn't stop there, either. Documents, videos, music, all media is able to be shared in a modern operating system. I can use Microsoft Office and see the pictures folder on every computer here at my house, because it was designed that way. It makes things easy to use and share, because we like to use and share digital media.

Unfortunately, all the fuss over "private" data lately has even Google second guessing themselves:

We originally designed the Android photos file system similar to those of other computing platforms like Windows and Mac OS. At the time, images were stored on a SD card, making it easy for someone to remove the SD card from a phone and put it in a computer to view or transfer those images.

 

As phones and tablets have evolved to rely more on built-in, non-removable memory, we're taking another look at this and considering adding a permission for apps to access images. We've always had policies in place to remove any apps on Android Market that improperly access your data.

This could just be PR spin, or Google really may have to make things harder for us all because of silliness. I don't want this, I'm assuming that most of you guys don't want this either. Do yourself a favor, and don't fall into this trap.

Source: New York Times

 
There are 35 comments

gravage says:

Apps having access to the gallery is what makes it easy to upload pictures to multiple services without opening multiple apps. It's one of the things I love about Android and HATE about iOS. If you want to upload a picture from an iPhone to Facebook (or any other service), you have to close out of the photo roll, open Facebook, and upload from there. It's ridiculous.

tvtropes.org/pmwiki/pmwiki.php/Main/FlatWhat

Some guy on the Internet thinks that being able to look at pictures is a security flaw, so Google decides to revise its permissions.

Wat.

I've also decided that "FUD" now stands for "F*cking Unbelievable Dumbasses."

icebike says:

I've noticed that when ever Apple needs some noise in the market place to cover something up, suddenly the lapdog press trots out another sheaf of articles about the evils of Android.

Its like clock work. Go to Vegas and bet on it, you will win big.

As much as I approve the will to fight FUD, I think the position you're defending is silly.

Android is not "like every computer". Android uses a permission system. On "every computer", apps can access freely the internet, modify your files, or automatically start at boot. To do this on Android, apps need to explicitely require a permission. Why should reading files be treated differently?

So basically either Android phones are like computers and Google should get rid of the whole permission system, or there actually is a flaw here and Google should add a "reading storage content" permission. As you said, if you're going to have a permission policy, you should enforce it.

ilaifire says:

Try deleting c:/program files. You can't, can you? It prompts you for permission to do so before it actually deletes it. Try editing the hosts file in windows vista/7, again, unless you run notepad as an admin it won't let you save. I'm not sure about how Mac OS works, but since the target market is much less tech savvy I have the feeling that they have a similar system where the user can't just go around doing whatever without admin privileges (which aren't on by default).
One of the differences between Windows Vista and 7 was in fact that in Vista it prompted you for admin permission for *everything*, whereas 7 only prompts you for things that could cause damage. Same case with Android, sending SMSs and internet access can run up a bill and cause damage, accessing photos won't. The next step will be adding a permission "to run when a user tries opening the app".

Sure, accessing my photos isn't damage as in delete-system-files damage, but I would consider an app that steal all my photos without telling me malware. It's about accessing your personnal information. Apps need a permission to read my contacts or my calendar. They should need a permission to read my photos. Plus it's not only photos, it's every file on your sd-card. I have personnal files on my phone, some apps store personnal info on the sd card, so if the permission system is there to protect my info, there is a big flaw right here.

And there are tons of permissions for things "less dangerous" than accessing photos. "Prevent phone from sleeping", "receive data from internet", "control vibrator", "install shortcuts" to name a few. That's how the permission system works: to access anything outside its sandbox, an app needs a permission. The most notable exception? Reading files on the SD card.

Steal your photos? Isn't that reaching too much? You'd probably see your data spike up if an app really does that. Do tell us when you've found an app that does just that.

I don't really see a problem here as not every camera app uses the DCIM folder as their folder of choice. I think the permission to read/write on the SD card pretty much covers what the app needs to do. What they need those SD card permission can be gleamed from the app description itself. If its an office app, it needs those SD permissions to edit and save office files and music apps on the other hand needs to do so to read your mp3s, oggs, aacs, etc or to delete them. Something you'll need a computer for on competing platforms.

icebike says:

Your use of the phrase "like every computer" suggests your computer experience is limited to windows.

I assure you, not every application gets to use the internet in every system, and even windows has added built in firewalls that can do egress filtering. And not every computer system allows access to your files by default nor does every computer system allow programs to start at boot time just because they want to.

Take a tour of Linux some day.

The problem is that there are cases where we need a finer grained permission system. We need to be able to deny apps permissions to some files, even if you were explicitly told it would be able to read those files when you installed it.

The solution is readily available in the open source community, and even leaky sieve Microsoft has adopted it. Its called Access Control Lists, or ACL for short.

With ACL you can explicitly deny (or allow) specific applications the right to read or write specific files or directories.
http://en.wikipedia.org/wiki/Access_control_list

I have "taken a tour of Linux", thank you very much.

My use of the phrase "like every computer", in quotes as you may have noticed, was in response to the title of the article, things like "Even the computer used to write the story at the NYT allows complete access to photos" and basically the whole idea developed in the article that Android phones are just like every computer which all allow free access to the file system. I know that most (all?) OS implement some kind of access control, but that's not really the point, is it?

I don't know much about ACL, but Google needs to implement a simple and almost transparent (for the user) solution to this issue, ie. I don't want to have to chown files on my phone.

not sure if trolling...

Nowhere does it say free access to the file system. Free access to folders that traditionally have had free access and are shared with userspace applications on every device ever made except the iPhone is what it says.

Like it, don't like it, I don't care. Don't put words into my mouth though.

Sorry, I wasn't trying to put words in your mouth, I should have said "free access to your documents".

Or Android uses a modified version of Unix's Owner/Group/User file system permissions, and by default the pictures folder is read/write with no suid for all three.

mvader123 says:

Google HAS a permission for "reading storage content".
And it is ENFORCED.
Try building an Android app that reads the FS without requesting that permission. It WON'T WORK!
(Example: https://market.android.com/details?id=com.estrongs.android.pop and go to the permissions tab)

Edit:
Well, poop. The permission doesn't do what I thought it did. Reading IS available without a permission. Writing is not. I thought that reading required a permission as well (mostly due to http://stackoverflow.com/questions/8348624/sd-card-not-mounted-android-a... and other references to android.permission.READ_EXTERNAL_STORAGE) but when I created an app of my own with that permission, I wasn't notified that the app was requesting that permission when I installed it.

TenshiNo says:

I believe you're overlooking the fact that there *is* an "Modify SD Card Contents" (I think that's what it's called) permission. It's just a blanket permission to access the SD-Card.

Next thing you know, people are going to want a permission for "Access to CPU" or "Access to Display". Just know that if an app says it needs permission "Modify SDCard Content", that app is going to be able to view your photos, see what kind of music you listen to and upload your porn to some off-site server. That's why you should pay attention to app permissions when you're installing apps.

People get *too* concerned about the privacy thing, I think. Nobody wants to steal your photos of your gut hanging over your speedo at the beach. Relax.

The porn may be another story, though. You're own your own with that one.

cyanogen-man says:

Wow really?? THIS HAS GOT TO BE FOR PEOPLE WHO HAVE LETS SAY HAVE NO SELF CONTROLL WITH TAKING PICTURES OF THEMSELVES WITH NO CLOTHING PERHAPSE????? I don't even use my camera

DrDoppio says:

No, this is for paranoid douches who think anyone would be interested in downloading THEIR lame pictures.

Note to douchebags: just because I have read rights to your pictures folder doesn't mean that I want to read any of it, or ever see your ugly can for that matter.

You ever heard of administrator permisions on windows? Root access on Linux/Unix. Android just simplifies it because that's what the mobile industry has evolved into. You really should do your home work before u speak out of turn. Now go back to your cave troll..lolhaha

icebike says:

Please learn what the Reply button is for.

That was to ice bike.

TenshiNo says:

^^^ Still hasn't found the "Reply" button ;)

[/troll]

Sorry. Couldn't help myself :)

font1975 says:

I'm confused. Apps already have to declare permission to access the SD card, which is where the pictures are stored. So what is the issue? Is the picture folder under a different rule than the SD card?

The whole issue here is that there is no permission to access the SD card. There is a permission to modify and delete files, but reading is free for all.

That's a real issue imho, and I hope Google will change that.

mvader123 says:

I replied to you earlier, but since you posted here as well...
https://market.android.com/details?id=com.estrongs.android.pop and go to the permissions tab.
Apps HAVE to declare access to the file system. And it is enforced.

Edit:
Well, poop. The permission doesn't do what I thought it did. Reading IS available without a permission. Writing is not. I thought that reading required a permission as well (mostly due to http://stackoverflow.com/questions/8348624/sd-card-not-mounted-android-a... and other references to android.permission.READ_EXTERNAL_STORAGE) but when I created an app of my own with that permission, I wasn't notified that the app was requesting that permission when I installed it.

I am supposed to see a read permission in the example you gave? I can see a write permission, but that's totally different. There is no read permission because it does not exist: http://developer.android.com/reference/android/Manifest.permission.html

EDIT: ok then

worwig says:

Once an app has permission to access the sdcard, it has access to everything on it. Since the card is FAT file system, there are few alternatives to setting access rights.

You could encrypt the card I suppose.

But I like it that way. I can pull a card from my camera and poke it in there to read it.

No need for a tin foil hat here.

gxgs says:

Google goes the iOS way and they are done, one of the good things about it is that it doesnt need a sh*tty application called itunes to manage every media object on the device. So much for security when the damn thing is not even FIPS certified.

Hopefully its kept the windows way and not having to install crappy software to get music, video or images out. That would be sad.

Any application can get the pictures in windows and mac os, dont see the big deal, tards want to go the crippled mobile way, then let them go, android will remain the only desktop-like mobile OS if they do it right.

paleh0rse says:

What's truly sad is that someone at Google believes that an increased reliance on "built-in, non-removable memory," is evolution... as if that's a good thing?! :(

Mr_Twist says:

I hope this does come common to bring silly things to news papers.
I would like though that when there is things to take serious we should but not stuff like this. Hopefully the Google's fix wont effect anything bad on Android.

biggbrother2 says:

I think this is more of a concern than you guys are letting on. I'm as big an Android fan as anyone, but I think it's a big deal that any app with permission to access the Internet can access your photos and upload them anywhere the developer wants. And for those of you that say that apps requesting Internet Permission should be scrutinized more closely, well I believe that any app with advertisements request access to the Internet. I also believe (but I'm not certain about this) that apps that have to verify a license must also access the Internet. So it's a common permission request.

I know it's easy to say "don't take inappropriate photos with your phone!" or "don't even use your camera!" or "nobody wants to see your ugly can!", but the fact of the matter is that photos a person takes with their camera (whether on a camera or phone) should be private, and you can't dismiss this is a minor issue because you don't care about your photos going public.

This makes me think that there is a good reason for such an explosion of explicit "my ex-girlfriend" or explicit pics of random normal women out there. Many of these photos were probably uploaded from apps installed on people's smartphones that they never knew would go public. This is going to be a publicity nightmare for Google.

Does the Galaxy Nexus handle this differently since it doesn't have an SD card?

TenshiNo says:

You make a valid point, but I think if it were really *that* big of a problem, we would have seen freeware apps on Windows and the like doing this for years. Implementing a change to "lock down" the pictures on your phone would require treating photos completely differently, storing them in a different partition from everything else, and that would likely mean you would no longer simply be able to plug in the usb and copy your photos to your PC.

It's a question of trade-off. Maybe el-goog could make it an option you can turn on. Personally, I'm not worried enough about it to deal with the hassle.

stanlm2 says:

Hmm, surprising mix of comments here. I may be oldschool, but first thing when you install windows personally is turn off UAC and unhide/enable admin account right? Turn on show hidden files and don't hide extensions? Then turn on file and network sharing so your pc can do anything conveniently?
I hope they implement whatever security anybody and everybody wants, just give me one little switch in settings called 'turn it all off, i know what i'm doing'

TenshiNo says:

Amen. There's a fine line between keeping malicious software out and keeping the user out. I think Vista crossed that line a bit. I don't care if Google wants to implement "paranoia-lock-down-mode" security on Android, so long as they give me a way to turn it off.

ChromeJob says:

Um. Last time I checked, Android was a variant of Linux. Linux, which uses ACLs. Haven't looked at the NYT article, but it seems reasonable that an app be reqd to request access to specific user file areas, either en masse or more explicitly. Access to each specific file area,... I dunno.

TenshiNo says:

It's not that Linux doesn't have ACL capability. The problem that is being outlined here is because the SD Card itself is formatted as FAT, rather than a Linux partition scheme such as EXT4. This allows your standard Windows-based PC to be able to read the data when you plug in the USB.

That said, I don't see the big "fear" here. I don't believe anyone wants to "steal" my pictures. If you were the guy doing that, can you imagine the shear number of pictures of people's dogs and kids you'd have to go through before you go anything even remotely interesting?

Not a big risk, IMO.

kitchin says:

All I know is Phil is right by default. I agree almighty leader