Archive for October, 2011

HTC Android Devices “Massive” Security Flaw


03 Oct 2011

Android Police reported a “massive security vulnerability in HTC Android devices,” stating that any app on an affected handset can access data including user account details and location information.

The report said the flaw was introduced with a recent update to “some” HTC devices, including a number of its flagship smartphones such as the Evo 3D, Evo 4G, and Thunderbolt. The company has added a “suite of logging tools that collected information” for an unspecified reason, without ensuring that this data is secured from other apps.

It was suggested that “theoretically, it may be possible to clone a device using only a small subset of the information leaked here.”

The information is accessed via the same system request that an app makes to connect to the internet. Android Police noted: “when you install a simple, innocent-looking new game from the Market that only asks for the INTERNET permission (to submit scores online, for example), you don’t expect it to read your phone log or list of emails.”

The report said that HTC was contacted on 24 September, with the company then given five business days before the vulnerability was made public. No comment was received in the interim. The company said it is “taking customers’ security seriously.”

%d bloggers like this: