Recent investigations into the untidy state of smartphone app permissions have led to a startling discovery—Android apps can siphon photos off your phone as long as you give the app permission to access an Internet connection.

After throwing Apple into the fire for allowing social networking app Path to access a user's contacts without an explicit warning, further probes revealed that iOS apps could upload pictures from a user's gallery and send them to an unknown server as long as the user allowed the app to see pictures with location data on them. Today, an investigation by the New York Times revealed that Android's permissions system is allowing the same thing, although perhaps in a more nefarious way.

The Times got an Android developer to make a simple timer for a test app. When the app was launched, it asked for permission to access the Internet, making no mention of access to the user's photo gallery. Once the permission was accepted, however, the app accessed the user's most recent photo and uploaded it to a public website.

Google responded by saying that the privacy breach is a legacy of the way old Android phones handled photos—usually on external SD cards that could be removed and exchanged so that users could grant permissions to access the data off one memory card but not another.

The photo uploading problem is yet another privacy fumble in which Apple is caught first, but Android is also found culpable later, like when iOS phones were found tracking location data and storing it in a file on the phone in mid-2011. In response to the Times' questions on photo uploading, Google said it would consider changing its approach, but asserted that its security system Bouncer screened applications for inappropriate implementation of permissions.