New Security Flaw Affects Modern HTC Handsets

Android Police recently uncovered a large security flaw in some of HTC’s ‘forced-upon-you’ bolt-on software. Though the software doesn’t reveal personal details itself as such, other applications do have the ability to request information from this toolkit. This gives them access to some of your personal information including GPS locations and SMS data. Read on to learn more.

What Is This Security Flaw?

HTC packaged a small suite of tools designed to collect user information into their new Android releases. However it turns out to be somewhat lacking in security, or such precautions were poorly implemented. As a result, this system can be piggybacked by other applications to get a hold of your location data (both cellular and GPS), your SMS data (including phone numbers), phone log details and Android system logs.

Justin Case, Trevor Eckhart and Artem Russakovski at Android Police said:

“Any app on affected devices that requests [internet access], which is normal for any app that connects to the web or shows ads, can get its hands on the data”

Android Police alerted HTC on the 24th September with information on their findings. After receiving no response, they decided to go public with their discovery.

Which Phones Are Affected?

Android Police claim that the following models may be affected:

  • Some HTC Sensation models
  • HTC EVO 4G
  • HTC EVO 3D
  • HTC Thunderbolt
  • HTC EVO Shift 4G
  • (Possibly) HTC MyTouch 4G Slide
  • (Possibly) HTC Vigor
  • (Possibly) HTC View 4G
  • (Possibly) HTC Kingdom.

The silver lining to this news is that only HTC handsets are affected, rather than Android in general. So if you don’t have an HTC phone you needn’t be too concerned.

When Will There Be a Fix?

At present HTC have not given a specific date or timeframe for customers to expect a software patch, though they did release this statement:

“HTC is working very diligently to quickly release a security update that will resolve the issue on affected devices… Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it. We urge all users to install the update promptly. During this time, as always, we strongly urge customers to use caution when downloading, using, installing and updating applications from untrusted sources.”

Russakovski pointed out that these Android builds also seem to have a miniature VNC server in them. For those who don’t know, VNC is a network protocol which allows remote control and access from one device to another, usually including the ability to see an exact clone of what is on your screen. What is that doing on your phone?

This sort of problem sings true to the notion that the more complex you make something, whether an Android build, a computer, or a birthday cake – more likely it is that something will go wrong. For HTC, attempting to increase the level of customer-to-corporation data sharing (or taking, depends on how you see it), has brought on an issue which HTC now has the duty to set right.

Desired Outcome

The ideal outcome would be for very few people to have their data accessed through this exploit, and for HTC to quickly push out a fix. Until a fix is released, however, try to avoid downloading unrecognised or untrusted applications for a while, especially if one of the privileges requested is internet access. It may look innocent, but it could also be an disguised malicious application designed to steal your information. It’s probably best to not take those chances.


Android Police’s original article

The Guardian’s technology article – via @guardiantech