Android’s permission system is unique in the world of mobile operating systems. Instead of trusting the result of a review process, the user of an app decides on the basis of trust if s/he will run an app or not. The list of permissions which an app requests is part of this decision making. Hence, the permission system of Android plays an essential role in the whole app ecosystem.
While for the most part, this system is great, there is a little design flaw. To be fair, it emerged over time, because of the fast development of mobile operating systems and the mobile market. The flaw concerns Android’s “external storage” (how it’s called by Google’s developer guides) or rather SD card storage (how most end users refer to it).
Starting with Android 1.6, SD card storage became part of Android. That means, you can plug your Android device via a USB cable to your computer and read a certain part of your device’s storage as USB mass storage device, like it’s a USB flash drive. If an app wants to write data on that part of your storage space, it has to request a permission, which Google describes to the user as follows:
“modify or delete the contents of your USB storage / modify or delete the contents of your SD card”
For some reason, a read permission was lacking. Maybe this was the case because – technically speaking – the part of the storage that is USB storage is a special partition, usually a FAT32 partition, which might make it hard to enforce access control within a Linux system (which Android is).
What has this to do with your photo gallery? Most devices running Android 2.3 – which is the most widely-used Android version even now – use the USB storage as default for storing the photos and videos you capture with your device camera. They do so because USB storage usually provides the largest amount of space on an Android device.
As a consequence, even an app without ANY permission can read from your SD card. It cannot change anything, but it can read everything. This also applies to all files which you store on your SD card, not only photos and videos. However, photos and videos are stored in a location easy to determine by any app developer. Nevertheless, it would be possible to search the entire SD card for other interesting data in a very short time.
Now, think what this means. Think of your favorite free game which most probably makes its money out of ads. Most users know exactly how the market works. They load a free app, this app has the permission “Internet/Network” which usually means it is ad-supported (and maybe has some online features, too) and they accept that. We all do. At the end, we love to get many apps for free. It’s reality, it’s normal.
From the security point of view, it means the following: any app with solely the permission to access the Internet is technically able to transfer all your photos and videos and the rest of your SD card files to the Internet without you noticing it. Sad but true. Most users are not aware of this, but because of the “trust system” of Android, they give a big amount of trust to any app with solely “Internet/Network” permission.
Last year, after news broke about iOS apps that send the user’s complete internal address book to the Internet without the user’s knowledge, some security experts pointed to the flaw on Android regarding SD card access.
With Android 4.1 Google started to react. There is a new permission in the SDK that requires an app to get a read permission if it wants to read the SD card / USB storage. However, this will not change the behavior of devices running below Android 4.1 and, as far as the developer documentation says, it is still not enforced on all Android 4.1+ devices.
Why? The explanation is easy — all apps legitimately operating on your SD card (like file browsers, media apps etc.) need to be updated using this new permission or they will not work properly.
It will take some more time till this flaw is closed completely. In the meantime, anybody should be aware about what technically is possible and – sad but true – state of the art.
At the time writing it is unclear how the new read permission will affect external SD cards, since these are integrated in a non-standard way into Android devices by many manufactures (like Samsung or HTC). This might be one of the reasons why Google’s Nexus devices including the newest, Nexus 10, do not have microSD card slots.