Android apps accessing user data without asking

Android applications are able to access a user's personal photos and files on Android version 4.3 or older without notifying them, according to Hong Kong's privacy commissioner.

The region's Office of the Privacy Commissioner for Personal Data (PCPD) yesterday detailed its discovery of the privacy failure in Android's permission model.

The office said it had tested the authenticity of the Android app model - in which all intended access to data stored on the device is disclosed to the user prior to app installation - and found the privacy hole.

"PCPD's tests have revealed that it is possible to develop an app that can read the memory of Android devices, including photos, files, and any data other apps choose to store in the devices, without the need to inform app users on the permission page," the privacy watchdog reported.

It said while Google had addressed the notification of permissions for access to a device's shared memory for Android 4.4, the privacy hole remained a serious issue for the "two-thirds" of Android users running Android 4.3 or earlier.

The office said it made Google aware of the issue in August, and formally requested the company take corrective action late last month.

Hong Kong privacy commissioner Allan Chiang said the evolution of technology meant consumers were giving up more of their personal data - and it was therefore "increasingly incumbent" on those collecting and using such data to take greater care and responsibility to safeguard consumers' privacy.

"I expect technology giants such as Google to live up to this privacy promise. It is imperative for them to practise privacy by design by embedding privacy by default into the design and architecture of IT systems, not bolted on as an add-on, after the fact," he said.

"To say the least, it is disappointing to know that Android, as one of the major mobile operating systems, has this flaw."

The PCPD advised app developers to encrypt the data stored in a device's shared memory.

A Google spokesperson encouraged users of Android 4.3 and older to upgrade to the latest version to access the changed permission notifications.

"One of the improvements we made in Android 4.4 was to provide enhanced notification about access by applications to data on shared storage. We encourage users to update to a newer version of Android to benefit from this and other improvements," the spokesperson said.