All photo apps require permission to photos, to work properly. Does this mean a malicious developer can upload users' photos to cloud, so he can see? If that is possible, what prevents him from doing so?
All photo apps require permission to photos, to work properly. Does this mean a malicious developer can upload users' photos to cloud, so he can see? If that is possible, what prevents him from doing so?
Share Improve this question asked Jan 29 at 13:56 newnew 3871 gold badge3 silver badges14 bronze badges 1- 1 Security is enhanced now, but technically yes, if users provide all the permissions. – Samudra Ganguly Commented Jan 29 at 16:50
1 Answer
Reset to default 1Typically, the Android permission model requires developers to declare the permissions their apps need in the AndroidManifest.xml file. For accessing photos, these are used:
<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE"/>
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>
Users must explicitly grant these permissions in Google Play Store during installation. Furthermore, from API 23 (Android 6.0) permissions can be also requested at runtime. This means users can make informed decisions about granting permissions based on the app's current context.
Since you're particularly interested in photos, there is another interesting security feature dedicated especially to images: from API 34 (Android 14) Android apps can use a new permission:
<uses-permission android:name="android.permission.READ_MEDIA_VISUAL_USER_SELECTED"/>
This allows users to pick specific photo/video directories rather than the entire library. Modern photo apps' developers are encouraged by Google to implement it (read more here).
The Android OS itself includes security features, such as Google Play Protect which scans apps after install for malicious code (read more here).
And last but not least: every developer must provide a privacy policy if they want to publish their permission-greedy app on Google Play.