There's been a new twist uncovered by the folks at The Verge about apps with no permissions accessing the SD card, and to keep the sky from falling we're going to break down what is going on. 

If you haven't read it yet, the stock Android gallery (in versions prior to Android 3.0) decodes Geotags automatically when you sync with your online Picasa gallery, and it stores the information in a cache file on the SD card. This is done so the gallery can be sorted by location. What wasn't  mentioned is that this data is already present if you Geotag your images, it's just in a different form. Take this lovely photo:

Manchester England

Open it on any computer and look at the EXIF data (and yes, an app could be written to easily do this on your Android device itself):

EXIF

Those are pretty exact latitude and longitude coordinates. Plug them into the Google Maps website and you'll get this in seconds:

Maps

That's within feet of where Alex was standing when he took this picture. All without this security "hole" being involved, and it took less that 60 seconds to do. 

Is this a good thing? Why, hell, no it's not, at least from a security/privacy standpoint. If you're taking pictures at home and geotagging is turned on, anyone who finds your phone (or a malicious app) would be able to find out exactly where you live. Or work. Or sleep. Or pick up your kids. Or cheat on your spouse.

But -- and this is important -- it is something you said was OK to do when you decided to mark your pictures with a location. And geotagging is hardly a new phenomenon. That's why we mentioned that you may want to turn Geotagging off in your camera

And before anyone starts saying Google should encrypt or force permissions on the pictures folder, understand that means you'll need a bloated, OEM-approved program for your computer that can decrypt and have permission to access the pictures you take. Nobody wants to have to use aTunes to see their photos. Nobody.

Removable storage was designed to be read from any other device. That means the data on it is wide open for the world to see. This isn't going to magically change as long as removable storage is included on devices. We have to take responsibility for our actions, and if we said it was OK to share location data for the pictures we take, that means it's OK to share location data for the pictures we take. It's a side-effect of having removable storage that other devices can read, and the only way to keep things in check is to understand the implications of what you're doing. You may not like it, but unless you design a better method, this is the way it's going to be.

Never store any data you feel is sensitive on removable storage, no matter what mobile device you're using. If an app is storing data on your removable storage you feel is too sensitive, then stop using that app. 

Hopefully, this helps you understand what's happening a bit better. Now go shut off the location in your camera app if you need to. 

 
There are 19 comments

dancing-bass says:

Common sense here folks. The more you allow Google (or any other internet-connected device) to know about you, the more chance there is that people will find out stuff about you. Some of it is encrypted, some isn't encrypted and should be, and really you/we/I need to take responsibility for this.

If a device is internet-connected, there is a chance that any information on that device will fall into the wrong hands, due to hacking, theft, or simple carelessness...

On one extreme, you can cut up your credit cards, shut down your online life, and live cash-only. The less computer-connected you are the more secure your online life is.

On the other, you can just not care and put whatever you want into your online information. Not worry about personal safety/security at all and hope/trust things will be ok.

Its up to you/me where you want to be between those 2 extremes.

bdroc says:

I guess it's a good thing I have a Samsung Vibrant. The GPS would send them to my neighbors house down the street.

Geotagging is pointless anyway...anyone I would show my pictures to I would tell where it was taken if they were nosy about it.

Very good expose though.

AndroidOne says:

"I guess it's a good thing I have a Samsung Vibrant. The GPS would send them to my neighbors house down the street."

Yeah, that is a SECURITY FEATURE on many Samsung phones...

movielover76 says:

Their really should be a system wide setting in android with options to disable geotagging completely, only provide approximate location (maybe the center of the city your in) or allow completely accurate geotagging.

Personally I've never cared much if my images have the location I shot them, it's kind of a cool feature to me. But I can see how some people would be concerned about this.

There is. Just go into Settings->Location services and uncheck GPS Satellites. The best you can get is cell tower or wifi location. If you don't want that, dump location service altogether (same place for that setting).

joebob2000 says:

It's still a little bit scary, if you have a wifi AP that google trolled with their streetview car. Now, even with GPS off the pin is still pretty much centered right on my house since wifi/location is turned on. I have to turn off all but the VZW location assistance to get it to be inaccurate.

dyinman says:

"It's still a little bit scary, if you have a wifi AP that google trolled with their streetview car."

WiFi locations were being mapped by thousands of people long before Google started snapping a few pictures on the streets. There are huge projects dedicated to that.

Turn of all location services and you have nothing to worry about.

codezion says:

This is a really good post to raise awareness for Android users of what kind of information they are publishing to the world when they post pictures online.

I recently encountered this "feature" when I posted a few pictures on a new Craigslist Ad. I am a bit paranoid about safety for the family and so I typically try to be very careful not to invite strangers at my house for picking up Craigslist items if I can avoid it. I prefer to meet people in public places when possible. However, after posting a couple of pictures that I took via my phone, I accidentally happened to notice how I just provided the exact Lat/Long information of my house. It was too late since the pictures were already sent. However, I have looked for every opportunity since then to let people know about this.

I am not sure if FB or Instagram or any other app strips down this EXIF info or not either.

I am a pretty tech savvy person and Yes - I agreed to the terms but I don't remember the last time I ever fully read the terms (my own fault) and carefully disected the words to understand what all I was actually agreeing to.

You just have to be careful.

joebob2000 says:

EXIF geotagging has been around for like 20 years and it's only a problem now that your smartphone didnt make it brutally apparent that it was putting coordinate data into your pictures? Orly? Sure the default probably ought to be set to off (it was on my phone but not all are alike of course) but at the same time you probably shouldn't EVER use the pretense that you are anonymous with anything you do online unless you are extremely deliberate in your actions. Even without a geotagged photo attached, it's not too hard to find out where someone lives by just having an email from them.

dyinman says:

"I am a pretty tech savvy person..."

Clearly, you're not.

EXIF has been around for ages, and your Canon might be geotagging your photos too. It's nothing specific to Android, Google, or smart phones.

If you're going to raise awareness, raise awareness that thousands of devices geotag photos. There's no reason to start crying about Android here.

Timelessblur says:

The Verge seems to be turning from a great tech site to a place that runs trolling non stories to get clicks. Really they should of ran the article like this one Jerry wrote explain why it is a non issue and the media and bloggers making a story over nothing.

joebob2000 says:

Agreed. Like this gem: "So an app with ill intent could potentially uncover our address and location, alongside our photos and user IDs, but what next?"

Oh GOD, what's next, someone will figure out that someone else (still just pseudonyms) has a smartphone and lives at some address! Surely this is critical, private information! As if the details of who someone is/where they live isn't on the internet in many other forms anyhow (especially if you own your home.) This is just like "Craigslist paranoia" some people have about letting the world know they have an old TV or matching set of star wars cups, AND where they live! Come on, if someone wanted to find a place to rob with nice stuff, they aren't going to troll craigslist they are just going to head over to the nearest high-income zipcode and pick a nice looking house at random. Props for paranoia though.

AndroidOne says:

"...We have to take responsibility for our actions..."

SAY WHAT!!!! If I start doing that I may loose my Government check...

MrSmith317 says:

Here's my question. If the camera can use the GPS to figure out exactly where you're taking a picture a split second before/after your picture is taken...Why do most phone's navigation systems take forever to get a GPS lock? I'm looking at you Samsung Fascinate.

joebob2000 says:

You're holding it wrong, hahahehehehahaha.

Srsly, my fascinate (with the latest update) is super fast with the GPS, unless the weather is total crap.

DerekMorr says:

I increasingly think that giving all apps carte blanche access to the SD card is a bad idea. Too many apps put too much personal information there. I don't think that it's realistic to expect users (especially non-technical users) to constantly check what information is stored on what partitions on their phones. I think there's some merit in firming up the Android sandbox to prevent this sort of information leakage.

Mark_Venture says:

I can understand the EXIF data being "available." Hey its been in photos taken with my first digital cameras (minus GPS coordinates since those cameras didn't have GPS), and those details were available once smart phones with cameras hit the scene.

I'm confused by their statement "...But we were also able to find our Google account e-mail address, Spotify ID, and a list of addresses.

The list was found inside the cache of com.cooliris.media, which was the default gallery for many..."

So was the email address, spotify ID, etc. also found there in the same gallery cache? I would guess email address because the gallery can sync with many gmail/picasa accounts?? But why would spotify id be there?

dyinman says:

Listen, do you want to use sd cards or do you not? It's as simple as that. Quit wasting my time with stupidly obvious trash like this.

I'd also like to point out that, once again, an app with no permissions won't be able to do jack shite with your geotagging info. It can't connect to the internet.

DerekMorr says:

Yes, they can. The app itself can't open a socket, but it can have the browser open a connection for it - either to upload data (via URL parameters) or to download data.

There is a great video demo of this technique here: https://viaforensics.com/security/nopermission-android-app-remote-shell..... It shows using this technique to give a remote user a shell on the device.