iOS has been getting hammered because it leaves its users' photos, and other information, open to apps. Turns out, Android has the same problem. The New York Times Bits Blog got confirmation from Lookout, an Android security company that there is "no special permission required for an app to read pictures."
Once a user agrees to allow the app to use location data, just like iOS. Google confirmed that it's an issue, and is looking into changing how it deals with permissions.
To demonstrate how serious the issue can be with a seriously devious app, one developer made a simple timer app that asked for permission to connect to the internet, without mentioning photos. It then had free reign to go into the photo library and post the most recent photo to a sharing site, automatically. Considering what some of us keep on our phone, that could range from relationship-ending to career-killing.
Google has been proactive about malware on Android recently, so it stands to reason that it would step in and do something about this as soon as it can work out a way to not break every app in the Market. Sooner would be better. [NY Times]