Android users warned over secret photo gathering app loophole

Android users have been warned that applications could be sending back photos stored on their phone to remote servers without their permission in yet another major security worry for the popular operating system, according to a report on the New York Times.

The issue revolves around a permissions loophole that grants third-party app developers the ability to copy users photos to a remote server without notice, as long as a user given the app consent to access the internet.

At the time of writing Google had not responded to V3's requests for comment on the issue.

Security analysts expressed shock at the revelation, with F-Secure analyst Sean Sullivan urging Google to address the issue as a top priority, particularly due to the risk of malicious apps emanating from the Far East.

"Google should consider changing it sooner than later. It's very surprising there isn't already an app that does this in a third-party Chinese market. Of all the places in the world that innovate spy-tools/backdoors/webcam trojans - it's China," he said.

Citing a similar report highlighting the same problem with Apple's iOS, analysts have since suggested that the loopholes demonstrate a problem with mobile security across the board.

"The lack of special permissions required to access personal user data such as photos on a mobile platform is truly alarming, particularly when abuse of that information is possible simply through the request of another apparently unrelated permission, such as internet access," commented Trend Micro security expert Rik Ferguson.

"The system of app permissions should be designed with a higher degree of security than is currently the case, this is not only true of Android but other major mobile operating systems as well."

Google has already come in for widespread criticism this week for pushing ahead with changes to its privacy policies despite claims by European data regulators that the changes do not conform to European data protection legislation, a claim Google has dismissed.