Major Security Flaw Discovered on HTC Devices

A major security flaw in numerous HTC devices using the stock Sense interface was discovered recently. The flaw comes from a set of logging tools that HTC put on their phones to collect basically everything about your phone at any given time. The tools are not strictly malicious, HTC is probably using them to better their understanding of how their customers are using their phones. But as the article simply states, the way the tools were built into the system and the way they can be accessed is akin to leaving a key to your door under the mat and hoping no one finds it. Fortunately some respectable members of the community found said key, notified HTC of the vulnerability and waited the standard 5 business days for a response before releasing the flaw to the public.

Trevor Eckhart discovered the vulnerability and has been digging (still is) into what in all these tools are collecting information on. As HTC has not responded to it yet, Trevor made the flaw public in an effort to "light the fire" under HTC to get it fixed. As of now, there are only two ways around keeping your information from being compromised on the HTC phones. First is to root it and remove the logging tools, and second is for HTC to release a fix. HTC is generally regarded as a solid company with fantastic handsets and an eye on quality so hopefully they will address the flaw quickly.

	EMPIRE 3 Pack of Crystal Clear Screen Protectors for Motorola Droid A855 [EMPIRE Packaging] Amazon Price: $0.01 List Price: $0.00
	Motorola Droid 2 A955 Rubberized Rose Red Premium Phone Protector Hard Cover Case + Screen Protector w/small microfiber cloth Amazon Price: $0.01 List Price: $0.00

As of now, the vulnerability has only been confirmed on the EVO 4G, EVO 3D, and Thunderbolt and the community has created a proof of concept app that can run on your HTC device to tell you if it has a vulnerability. More phones will of course be added as they are identified. The apk can be downloaded from a link provided at the article I linked to.

So what exactly is compromised? Well, the list on the android police article lists out the following:

the list of user accounts, including email addresses and sync status for each
last known network and GPS locations and a limited previous history of locations
phone numbers from the phone log
SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)
system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses,phonenumbers, and other private info

There are far more items that are included in what is compromised and the full list and explanation of how the vulnerability works can be found at the Android Police article.

Again, this vulnerability is something that HTC really needs to take care of. Right now its no doubt that HTC is working on a fix and those of you who are rooted with an AOSP rom have no worries, but the regular stock users of HTC devices should keep an eye on the story from Android Police to keep ahead of whats going on with their devices.

Others are also reading...

Nexus Prime and Android 4.0 Ice Cream Sandwich

Android and the Smartphone Economy

HTC Thunderbolt - Verizon

HTC ThunderBolt is the First 4G LTE Smartphone for Verizon Wireless

The HTC Thunderbolt - The first phone on Verizon's 4G horizon

No comments yet.

Like this Hub?