HTC Android Security Flaw Exposes Some Personal Data
Android’s HTC line of smartphones have been found to have a severe security flaw if they use applications that allow internet permissions. The Register reports the apps on the affected handsets that connect to the web or show ads are allowing access to personal and confidential information.
User accounts, including e-mail addresses and sync status for each can be easily accessed. The apps can also get their hands on the last known network, GPS locations and a limited previous history of locations.
The vulnerability is part of HTC’s Sense UI and affects a subset of phones which include the HTC Thunderbolt and the EVO 4G. It was spotted by Trevor Eckhart, Artem Russakovskii and Justin Case after the Sense UI update was released by HTC, who informed HTC about it and waited for a response.
With no response after five days from HTC, Eckhart contacted the website Android Police, a popular hangout for sharing Android news and reviews.
“Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the Market that only asks for the Internet permission (to submit scores online, for example), you don’t expect it to read your phone log or list of e-mails,” Russakovskii told International Business Times.
“The only reason the data is leaking left and right is because HTC set their snooping environment up this way,” he concluded.
HTC phones which are affected include an application package titled HTCLoggers.apk installed with root-level access. When called upon, the logging program opens a local port that will provide this data to any app that asks for it. Apps can send the data off to a remote server for safekeeping.
The breach is considered especially serious, particularly given that free apps often ask to collect embedded advertisements through internet connectivity. Such an app could now harvest very personal data and given the publicly available demonstration code it would be naive to think someone isn’t working on that right now.
Until HTC issues a software update, owners of the relevant phones can delete HTCLoggers from their devices if they root the phones.
On the Net: