Photos On Your Phone Are Not So Private

The New York Times have run 2 sensationalist stories in the past week ‘uncovering’ the shocking news that app developers may be able to access your phone’s private photos. First up was the ‘Apple loophole that gives developers access to photos’ article:

“After a user allows an application on an iPhone, iPad or iPod Touch to have access to location information, the app can copy the user’s entire photo library, without any further notification or warning, according to app developers”.

The NYT even went as far as commissioning a developer to create a proof of concept app that could siphon off user photos to a remote server (not released into the app store). Almost a carbon copy appeared a few days later in the ‘Android Apps can also secretly copy photos’ article:

“As long as an app has the right to go to the Internet, it can copy those photos to a remote server without any notice”

Whilst I am always in favor of increased security awareness amongst users, there are a few points to note:

  • Both articles go on to state that it is unclear if any apps in Apple’s App Store or the Android Market are actually copying user photos illicitly. In other words, they couldn’t find a single real world example of such rogue activity – if they had we can be sure they would have trumpeted it on the front page…
  • Such security permissions (or lack of them) for apps to be able to access your photos are nothing new – the same ‘loopholes’ have been present in earlier versions of iOS and Android for years.
  • The fact that there is no evidence of such activity in practice suggests that the app store/market are not an ‘anything goes’ free for all, full of cowboy apps – the current oversight of apps by Apple, Google and independent researchers must have worked pretty well to date.
  • Most pertinently, a majority of people copy private photos from their phone to a PC/laptop where there is (and never has been) any security that would stop a rogue program pilfering the contents of your photos folder.

Comparison To PCs/laptops

Consider the photos stored on your computer. Because only read access would be required, antivirus software won’t stop such naughtiness and firewalls won’t help either if the program has been given internet access (which most are nowadays e.g. to check for updates).

Likewise, Windows security permissions and user account privileges won’t stop a dodgy program sending your photos out over the internet – in essence, all your photos, documents and other user files on a PC/laptop are wide open to being pilfered by any program at any time – and they always have been.

How have we coped to date with computers which have no practical security against such unwanted file transfers? [Note: there are complex security programs, firewalls, port blocks and encryption techniques that could stop such things but you won’t find them on an average computer]

The best security against this type of malicious program behavior is trust – trust in the program’s developers, trust that the wider tech community would spot a program attempting to siphon off personal data, trust that user feedback would quickly shut down a rogue program – or at least brand it as a malicious app that antivirus programs could protect against.

Conclusion

Security of apps in the mobile phone world is similar to programs on desktops – except users may (incorrectly) view their smartphone simply as a phone with internet access, rather than a fully fledged computer facing much the same risks as a traditional PC.

Users who try out hundreds of new apps from previously unknown developers, and users who download apps outside the official markets will inevitably open up their phone to unchecked apps, which may or may not be malicious.

I await the next New York Times tech story with interest – how about ‘Windows loophole that gives developers access to photos’ for a headline?

What do you think – is it user behavior that needs to change or increased operating system security, or a bit of both? Let us know in the comments below.

3 Responses to: "Photos On Your Phone Are Not So Private"

  1. Mark W. says:

    Roy, we’re on it. I mean, my U.S. Senator is on it – http://mashable.com/2012/03/05/senator-schumer-ftc-apple-google/ . :)

    • Roy says:

      Shame that senator apparently supported the dangerous anti-privacy SOPA and PIPA bills (https://techlogon.com/2012/01/18/sopa-wikipedia-and-other-internet-blackouts-today/) recently – bit late for him to be jumping on the privacy bandwagon ;-)

      His quote “Smartphone developers have an obligation to protect the private content of their users” might also worry Microsoft and Apple (Mac division) though – there is no such obligation in Windows/Mac and never has been.

      Arguably there should be but it’s impossible to implement without the walled garden of an official program Marketplace which just isn’t going to happen (I know MS are planning an app store for Win8 but that is small scale, never going to be the major/only source for Windows programs).

      • Mark W. says:

        Thanks Roy for your articles on privacy. I believe privacy is really about personal responsibility. I can’t just leave it to industry or government to make privacy decisions for me. It’s about always being diligent and being informed. Always looking for the weak link in the long chain. Trying to decide who to trust. I give up a lot of privacy just by the fact that I’m online so privacy is really semantics. Anyways, one of the ways I try to protect my privacy while surfing the Internet is to use a browser extension named DNT+ by Abine (DNT is an acronym for ‘do not track’). They have a blog post (long infographic) on online privacy that I think you’ll find interesting at http://www.abine.com/wordpress/2012/understanding-your-online-privacy-a-really-long-infographic/ .