Massive Security Vulnerability In HTC Android Devices

Searching_ _ _ · Oct 2, 2011

In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users' devices, easier remote analysis, corporate evilness - it doesn't matter. If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in.

That is not the case. What Trevor found is only the tip of the iceberg - we are all still digging deeper - but currently any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:

the list of user accounts, including email addresses and sync status for each

last known network and GPS locations and a limited previous history of locations

phone numbers from the phone log

SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)

system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info

Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the Market that only asks for the INTERNET permission (to submit scores online, for example), you don't expect it to read your phone log or list of emails.

But that's not all.
Click to expand...

Massive Security Vulnerability In HTC Android Devices (EVO 3D, 4G, Thunderbolt, Others) - Android Police

dw426 · Oct 2, 2011

This is one of the reasons I've not gone mobile really, it's far too easy to be unsecured on this stuff, and very little can be done to secure them. I'm with the one guy down in the comments section, OEM should leave things the hell alone.

cozumel · Oct 2, 2011

As a user of an HTC Android device to say I am disappointed would be an understatement.

I just cannot understand how an organisation such as HTC does not have robust policies and procedures to safeguard against this type of occurrence. It's not even possible to hide behind a firewall. Although I do have security installed on my device (lookout) it won't protect me against this type of poor software implementation and design.

J_L · Oct 2, 2011

Damn, that's also why I almost always install custom firmware.

Hungry Man · Oct 2, 2011

REad about this earlier. I have an HTC. Running rooted without sense so I'm not worried... not that I would be anyways.

cozumel · Oct 4, 2011

HTC press release:

HTC takes claims related to the security of our products very seriously. In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers' data, there is a vulnerability that could potentially be exploited by a malicious third-party application. A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability.

HTC is working very diligently to quickly release a security update that will resolve the issue on affected devices. Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it. We urge all users to install the update promptly. During this time, as always, we strongly urge customers to use caution when downloading, using, installing and updating applications from untrusted sources.
Click to expand...

ronjor · Oct 4, 2011

Link. http://www.engadget.com/2011/10/04/htc-confirms-security-hole-says-patch-is-incoming/

Log in or Sign up

Massive Security Vulnerability In HTC Android Devices

Searching_ _ _ Registered Member

dw426 Registered Member

cozumel Registered Member

J_L Registered Member

Hungry Man Registered Member

cozumel Registered Member

ronjor Global Moderator

Log in or Sign up

Massive Security Vulnerability In HTC Android Devices

Searching_ _ _ Registered Member

dw426 Registered Member

cozumel Registered Member

J_L Registered Member

Hungry Man Registered Member

cozumel Registered Member

ronjor Global Moderator

Useful Searches