In news that will no doubt be of great concern to owners of HTC smartphones, a security team is claiming to have uncovered a "massive security vulnerability" in HTC Android devices that allows any application with Internet access to gain access to private data, including user accounts, email addresses, GPS location, text message data and phone numbers. The vulnerability is said to affect HTC smartphones running the latest version of HTC's software, including the EVO 3D, EVO 4G, Thunderbolt, and others.
The reported vulnerability, which has left those who discovered it - Justin Case, Trevor Eckhart and Artem Russakovskii from Android Police - speechless, involves a suite of logging tools included in recent HTC modifications to the Android operating system in EVO and Thunderbolt models that collect a stack of information on the user's phone. But not only do the modifications collect a swathe of information, they also allow nefarious types to send that data to wherever on the Internet they like.
"It's like leaving your keys under the mat and expecting nobody who finds them to unlock the door," says Russakovskii.
The list of compromised data includes but is not limited to:
- List of user accounts, including email addresses
Eckhart only released the information after contacting HTC on September 24th and receiving no real response for five days in the hopes that making the security vulnerability public would prompt HTC to address the issue. Although the team at Android Police believes HTC is looking into the issue, there's been no statement from the company as yet.
The team also uncovered an app added by HTC called androidserver.apk that is basically a remote access server that could allow third parties access to the phone. They say that, while the addition of the app "could end up being insignificant," it is still "very suspicious." Although the app isn't started by default, it isn't clear what or who can trigger it.
While open source software, such as Android, has many advantages over a closed system, such as allowing greater creativity on the part of developers, the vulnerability the Android Police team claims to have uncovered highlights one of the major downsides of open source software. While users expect problems from sources in the darker corners of the Internet and are extra vigilant in looking out for anything that may compromise the security of their devices, the fact this problem comes from one of the biggest players in the Android space is a real concern.
Hopefully, now that the problem has been brought to light, HTC will release an update to address it in quick fashion. Until then, Eckhart says the only way to patch the vulnerability is to root your phone, which can unfortunately void the warranty. If you do decide to go down the rooting path, Eckhart recommends the removal of HtcLoggers, which can be found at /system/app/HtcLoggers.apk.
How exactly is the inclusion of two CLOSED SOURCE software packages added to Android by HTC somehow an indictment of OPEN SOURCE software again?
Great site but your logic in this piece makes no sense.
If anything this is a reason for people to use Cyanogen, the fully opensource Android. There the open source allows everyone to watch everyone else versus being behind closed doors at HTC.
Apple and Microsoft can inject items like this at their discretion and unlike on Android, few have the skills or interest to notice it.
Hope is not a plan. HTC needs to fix this right away, and keep its customers informed.
The article nowhere makes a case that the open source nature of Android in any way caused this security breach. From what can be gathered from the article, HTC\'s logging tool is collecting the information and I assume other applications can access this log file and then send the data off the phone. This permissions failure could just as easily have occurred in closed-source iOS or WP7 (in fact, a bug in the WP7 camera app was transmitting GPS data to Microsoft without asking for permission and was just fixed with the latest update). It would seem that the open source nature of the software would make it *easier* for security teams to find vulnerabilities, as they can examine both the behavior of the system and the underlying code to quickly clarify what the phone is doing without extensive reverse engineering or guesswork.
\"While open source software, such as Android, has many advantages over a closed system, such as allowing greater creativity on the part of developers, the vulnerability the Android Police team claims to have uncovered highlights one of the major downsides of open source software. While users expect problems from sources in the darker corners of the Internet and are extra vigilant in looking out for anything that may compromise the security of their devices, the fact this problem comes from one of the biggest players in the Android space is a real concern.\"
It\'s not clear from the article, but it sounds as though in order to suffer from this you\'d need to download some basically malware onto your phone and run it, so it can send the logs off somewhere.
Talk about a media beat-up.