Photos On Your Phone Are Not So Private
“After a user allows an application on an iPhone, iPad or iPod Touch to have access to location information, the app can copy the user’s entire photo library, without any further notification or warning, according to app developers”.
The NYT even went as far as commissioning a developer to create a proof of concept app that could siphon off user photos to a remote server (not released into the app store). Almost a carbon copy appeared a few days later in the ‘Android Apps can also secretly copy photos’ article:
“As long as an app has the right to go to the Internet, it can copy those photos to a remote server without any notice”
Whilst I am always in favor of increased security awareness amongst users, there are a few points to note:
- Both articles go on to state that it is unclear if any apps in Apple’s App Store or the Android Market are actually copying user photos illicitly. In other words, they couldn’t find a single real world example of such rogue activity – if they had we can be sure they would have trumpeted it on the front page…
- Such security permissions (or lack of them) for apps to be able to access your photos are nothing new – the same ‘loopholes’ have been present in earlier versions of iOS and Android for years.
- The fact that there is no evidence of such activity in practice suggests that the app store/market are not an ‘anything goes’ free for all, full of cowboy apps – the current oversight of apps by Apple, Google and independent researchers must have worked pretty well to date.
- Most pertinently, a majority of people copy private photos from their phone to a PC/laptop where there is (and never has been) any security that would stop a rogue program pilfering the contents of your photos folder.
Comparison To PCs/laptops
Consider the photos stored on your computer. Because only read access would be required, antivirus software won’t stop such naughtiness and firewalls won’t help either if the program has been given internet access (which most are nowadays e.g. to check for updates).
Likewise, Windows security permissions and user account privileges won’t stop a dodgy program sending your photos out over the internet – in essence, all your photos, documents and other user files on a PC/laptop are wide open to being pilfered by any program at any time – and they always have been.
How have we coped to date with computers which have no practical security against such unwanted file transfers? [Note: there are complex security programs, firewalls, port blocks and encryption techniques that could stop such things but you won’t find them on an average computer]
The best security against this type of malicious program behavior is trust – trust in the program’s developers, trust that the wider tech community would spot a program attempting to siphon off personal data, trust that user feedback would quickly shut down a rogue program – or at least brand it as a malicious app that antivirus programs could protect against.
Security of apps in the mobile phone world is similar to programs on desktops – except users may (incorrectly) view their smartphone simply as a phone with internet access, rather than a fully fledged computer facing much the same risks as a traditional PC.
Users who try out hundreds of new apps from previously unknown developers, and users who download apps outside the official markets will inevitably open up their phone to unchecked apps, which may or may not be malicious.
I await the next New York Times tech story with interest – how about ‘Windows loophole that gives developers access to photos’ for a headline?
What do you think – is it user behavior that needs to change or increased operating system security, or a bit of both? Let us know in the comments below.