Google tussles with security researchers, privacy advocates

Google's decision to display images in Gmail messages by default has ruffled some feathers

Security researchers and Google are at odds over the risks posed by its decision to display images in Gmail messages by default, rather than have users choose to display pictures.

[Experts applaud Google completion of SSL certificate upgrade]

While Google believes the change strikes the right balance between security and user experience, researchers for Rapid7 say it helps spammers and stalkers track whether emails are reaching their victims.

The debate started Thursday when Google said it would store email images on its own proxy servers, rather than have them reside on senders' remote servers. Newsletters and promotions from Amazon or magazines are examples of image-rich emails that are actually Web pages that make requests for images from a Web server.

By having the requests made to Google's proxy servers, the company believes it can hide from senders a lot of identifying information of recipients, such as IP address, location and the type of email client being used.

In Google's view, finding out whether a Gmail account is active is a good trade off for blocking all the other information. Under the old system, clicking to receive images would tell the sender the account is active anyway, plus provide all the other personal data.

Google also notes that people can turn off the default setting and go back to having to grant permission for Gmail to load images.

Nevertheless, Rapid7 researchers say displaying images by default would give miscreants immediate feedback on whether the Gmail account is active, making it possible to compile more effective email lists for phishing campaigns.

"In my opinion that's kind of the lead (to the story), automatic opt in rather than opt out," Tod Beardsley, security researcher for Rapid7, said. "And it's really surprising, because Google is usually pretty good about this kind of thing."

Tracking code and malware could be embedded in the images and activated immediately, according to Beardsley. For spam and malicious attachments to get on a person's computer, it would have to first evade Google's filters.

Besides alarming security researchers, Google also stirred up privacy concerns in removing an Android feature called App Ops two days after it appeared and had been praised by advocates.

[Security experts question if Google's Chrome Apps is worth the risk]

The feature seemed to provide a simple tool for denying permissions to each app on a smartphone. The user interface was a list of permissions, such as location, read contacts, send SMS and call phone, with a choice of "on" or "off" next to each.

The problem was App Ops was added to Android 4.3 by mistake, so Google promptly removed it in version 4.4.2, the latest update.

"That UI (user interface) is, and it should be quite clear, not an end-user UI," Google Android engineer Dianne Hackborn wrote on Google+, which was reprinted by ThreatPost.

"It was there for development purposes. It wasn't intended to be available."

The Electronic Frontier Foundation acknowledged that App Ops, which broke some other smartphone apps, needed work. However, the nonprofit argued that Google should have repaired it, not remove it.

"The disappearance of App Ops is alarming news for Android users," Peter Eckersley, EFF technology projects director, said in a blog post.

"The fact that they cannot turn off app permissions is a Stygian hole in the Android security model, and a billion people's data is being sucked through."

So for now, Android users are left with the choice of sticking with Android 4.3 with App Ops or upgrading to version 4.4.2, which provides less privacy, but a number of patches for security flaws in the platform, Eckersley said.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.