It’s not just Apple. Photos are vulnerable on Android phones, too.

As Bits reported this week, developers who make applications for Apple iOS devices have access to a person’s entire photo library as long as that person allows the app to use location data.

It turns out that Google, maker of the Android mobile operating system, takes it one step further. Android apps do not need permission to get a user’s photos, and as long as an app has the right to go to the Internet, it can copy those photos to a remote server without any notice, according to developers and mobile security experts. It is not clear whether any apps that are available for Android devices are actually doing this.

The Apple and Android problems are a reminder of how hard it can be to ensure security on complex mobile devices that can run a vast array of apps. Android apps are required to alert users when they want to retrieve other kinds of personal data — like e-mail, address book contacts or a phone’s location — so the lack of protection for photos came as a surprise to some experts.

“We can confirm that there is no special permission required for an app to read pictures,” said Kevin Mahaffey, chief technology officer of Lookout, a company that makes Android security software. “This is based on Lookout’s findings on all devices we’ve tested.”

In response to questions, Google acknowledged this and said it would consider changing its approach...