In news that will no doubt be of great concern to owners of HTC smartphones, a security team is claiming to have uncovered a "massive security vulnerability" in HTC Android devices that allows any application with Internet access to gain access to private data, including user accounts, email addresses, GPS location, text message data and phone numbers. The vulnerability is said to affect HTC smartphones running the latest version of HTC's software, including the EVO 3D, EVO 4G, Thunderbolt, and others.

The reported vulnerability, which has left those who discovered it - Justin Case, Trevor Eckhart and Artem Russakovskii from Android Police - speechless, involves a suite of logging tools included in recent HTC modifications to the Android operating system in EVO and Thunderbolt models that collect a stack of information on the user's phone. But not only do the modifications collect a swathe of information, they also allow nefarious types to send that data to wherever on the Internet they like.

"It's like leaving your keys under the mat and expecting nobody who finds them to unlock the door," says Russakovskii.

The list of compromised data includes but is not limited to:

  • List of user accounts, including email addresses
  • Last known GPS location and history of previous locations
  • Phone numbers from the phone log
  • SMS data, including phone numbers and encoded text
  • System logs, which track everything your running apps do
  • System information, including build number, bootloader version, CPU info, running processes, list of installed apps, battery info and status, and network info, including IP addresses.
  • Eckhart only released the information after contacting HTC on September 24th and receiving no real response for five days in the hopes that making the security vulnerability public would prompt HTC to address the issue. Although the team at Android Police believes HTC is looking into the issue, there's been no statement from the company as yet.

    The team also uncovered an app added by HTC called androidserver.apk that is basically a remote access server that could allow third parties access to the phone. They say that, while the addition of the app "could end up being insignificant," it is still "very suspicious." Although the app isn't started by default, it isn't clear what or who can trigger it.

    While open source software, such as Android, has many advantages over a closed system, such as allowing greater creativity on the part of developers, the vulnerability the Android Police team claims to have uncovered highlights one of the major downsides of open source software. While users expect problems from sources in the darker corners of the Internet and are extra vigilant in looking out for anything that may compromise the security of their devices, the fact this problem comes from one of the biggest players in the Android space is a real concern.

    Hopefully, now that the problem has been brought to light, HTC will release an update to address it in quick fashion. Until then, Eckhart says the only way to patch the vulnerability is to root your phone, which can unfortunately void the warranty. If you do decide to go down the rooting path, Eckhart recommends the removal of HtcLoggers, which can be found at /system/app/HtcLoggers.apk.