If you’re one of the hundreds of millions of Android Messages users, then your phone could be leaking highly sensitive, personal, even dangerous information without you even realizing. Here’s what you need to do.
Your smartphone leaks your personal information, none of which is more sensitive than the location tags that tell others where you are and where you’ve been. Google has finally followed Apple’s lead and is doing something about this. Android 11 is a serious step forwards in protecting this most sensitive type of data. But most users don’t run an updated version of Android with this protection. And, more worryingly, there are serious holes in this security when you use your Android Messages app.
Location tagging is a tricky subject. It’s critical to some of the apps we use most on our phones—maps and navigation most obviously, ordering taxis and food, finding service providers near where we are, and also sorting our photos. When you take a photo with your phone’s camera, data is embedded in the image that includes the specifications of the camera, the date and time, and the precise location where it was taken.
This is really useful when we want to organize our photos—grouping images taken in overseas cities or near to home, making it much easier to search through vast albums of thousands of images. But embedding this so-called EXIF (Exchangeable Image File) metadata can be dangerous and can certainly be an invasion of your privacy when it remains attached to those photos as you share them with others.
MORE FOR YOU
Social media apps and messengers strip this EXIF data when you send your photos through or to their platforms—the likes of WhatsApp, Twitter, Snapchat, Instagram and Messenger. Although you need to beware, Facebook might strip the metadata when you save photos in your albums or on Instagram, but it also collects and stores that metadata for its own purposes.
While that’s obviously an issue, the arguably bigger issue is that if you use your Android Messages app to send your photos, then the metadata remains embedded in those files. Anyone you share those images with, as well as anyone they share those images with, will be able to see the exact location where your photos were taken.
This problem is made worse because of the way that settings work on Android. Your Messages app and your camera app have separate location permission settings: allow all the time; allow only when in use; or denied. And making sure that you don’t send your location data is harder than is should be.
Put bluntly, you may think that you have stopped this information from being shared when you have not. Here’s the issue. There are two ways you can send an image using Android Messages—you can attach them to a message, or you can use the camera feature within the Messages app itself. Depending on the the way you choose to take and share an image will determine the level of protection you have.
If you set the location permissions for Messages to “denied” and use the camera in the Messages app to take and send a photo, your location will not be included. But if you set the location permission for Messages to “denied” but the location permission for your camera to allowed, then photos you attach to messages from your gallery will include your location. Messages does not strip this data from the images it sends.
The safer alternative is to use a different messaging platform to share photos—iPhone users have exactly the same issue with iMessage. You can use WhatsApp or Signal as excellent secure alternatives, albeit those will also compress the file size of your images as part of that same metadata stripping process.
The other option you have are to delete the location tags within your gallery app, if you have this option as in the image above. If not, you can use an EXIF viewing and editing app from Play Store. Unfortunately, the problem with deleting the location tag is that it’s permanent. So you will lose the usefulness of location tags in your gallery for those images you’ve edited—they won’t show up with the others taken in the same place. You could of course screenshot the images you want too share and send the screenshots if that’s easier—these should not include location tags.
Ironically, this issue has arisen given Google’s rollout of RCS—the basic MMS functionality built over SMS should strip metadata as it resizes and compresses the images. The next major update to Android Messages will see it implement end-to-end encryption, putting it more on par with Apple’s iMessage. This is currently in beta. That change won’t fix this photos issue, though. Another example of the disconnect between metadata and encryption that has made WhatsApp headlines in the last week.
While it’s sometimes useful to share location information with your photos—when sending within your family, for example. Usually, it is not. And once you lose control over a photo, you lose control over its metadata. With children engaging ever more on social media, sending and sharing images above all else, this becomes a critical risk. You do not want your kids inadvertently sharing their locations. And if they have their own phones, then it is sensible to disable location tagging on the camera altogether.
For the rest of us, it is likely that EXIF data will become more a more prominent issue over the coming months as the focus on location tracking continues to increase. We can hope that both Google and Apple will add simple functionality to their messaging and camera apps to provide easy control over location tagging, recognizing that this functionality is useful but only if it can be contained.