It is easier to fight for one's principles than to live up to them - Alfred Adler
|
|
|
Vulnerability in HTC smartphones exposes user data
AN ANDROID EXPERT has discovered a serious vulnerability in several HTC smartphone models that allows almost any app to read sensitive data stored on the devices.
The security issue was identified by Android developer Trevor Eckhart and is the result of HTC failing to properly secure information collected by a recently introduced logging application.
It's not clear why this data collection app was installed during recent HTC phone updates, but Eckhart found that it exposes a lot of sensitive information like user accounts, email addresses, GPS history, phone numbers listed in the phone log, SMS data and even low-level system details.
According to the Android developer any app with the INTERNET permission - meaning most of the apps out there - is able to read this data. Android Police reports that some of the system information exposed in this manner could also be used to clone a device.
In addition, another app installed by HTC is called "androidvncserver.apk", which suggests it has remote access capabilities. This information has not been confirmed and the app is not started by default, but it could be used in the future.
The device manufacturer HTC was contacted on 24 September, but it apparently failed to respond within five days, which prompted Eckhart to publicly disclose the vulnerability.
HTC EVO 4G, EVO 3D, Thunderbolt, Shift 4G and Mytouch 4G Slide devices have been confirmed as vulnerable. Some models from the HTC Sensation product line and others are also suspected to be affected.
The smartphone maker is analysing the report and working on a response. "HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible," the company said in a statement, according to the BBC.
"We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken," it added.
Unfortunately, until an official patch becomes available, the only mitigation is removing the "/system/app/HtcLoggers.apk" file, a process that requires root access.
Update
HTC has confirmed the vulnerability and is planning to release an urgent patch for the affected phone models once it's properly tested. Meanwhile, the company has asked users to be careful about what applications they install and where they obtain them.
"In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers' data, there is a vulnerability that could potentially be exploited by a malicious third-party application," the smartphone maker told BBC.
"A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability," it added. µ
Share this:
Share
That makes the decision on my next phone, much easier. If Apple releases an iPhone to Sprint tomorrow (I don't care what version), when I do my upgrade on December 1st, I'm bailing. This HTC EVO has been a POS since Gingerbread. Sorry Google and HTC. You lost one. Will probably lose more in the coming weeks.
I'm not surprised when I read articles like this.
Assuming that the vulnerability is real (which is a relatively safe assumption), it showcases not only how cavalierly some companies treat privacy concerns by their customers, but also the horrible quality of whoever is in charge of software development.
To put this in another way, when was the last time that a car maker produced a car with a door lock that would unlock with any remote, not just the owners one?
Crappy software originating along the Pacific Rim seems already taken for granted world wide. In fact, some statistics show that half the blue screens in Windows originate with bits placed in a semi-orderly form over there. But even then I'm amazed when the same crew writes a back door to an OS that is wide enough for a semi.
Hopefully new phone buyers will keep this in mind when they are deciding between a new HTC device and what ever their competition at the time happens to be.
It might be noteworthy to add that Google is at least partially responsible for these kinds of problems. Their "security" model in Android is so inflexible that it's difficult for device vendors (and third parties, such as the users) to perform many routine tasks that they are accustomed to on PCs. And based on the disastrous decision to close-source Android, it seems that Google's corporate arrogance is making them blind to the fundamental weaknesses of their platform.