HTC Android Bug Exposes Key Data

As demonstrated in a video of the vulnerability posted by Eckhart (see below), HTC provides an opt-out during phone setup for the Tell HTC logging feature, but it makes no difference. Even if the user opts out, the data is still logged and available to a malicious app.

Eckhart also points out that all of this could be done in a background thread, allowing a malicious app to gather the data and send it to a remote Web site without the user noticing.

The blog includes this list of information disclosed in the logs:

• Active notifications in the notification bar, including notification text.
• Build number, bootloader version, radio version, kernel version.
• Network info, including IP addresses.
• Full memory info.
• CPU info.
• File system info and free space on each partition.
• Running processes.
• Current snapshot/stacktrace of not only every running process but every running thread.
• List of installed apps, including permissions used, user ids, versions, and more.
• System properties/variables.
• Currently active broadcast listeners and history of past broadcasts received.
• Currently active content providers.
• Battery info and status, including charging/wake lock history.

It's interesting to techies and it shouldn't be disclosed, but what could an attacker do with most of it? The mass of information looks more threatening than it really is for most users.

Some private data from communications is there, but a lot of the most private data, such as passwords, does not appear to be. Nor are the contents of your actual data files. In theory you might be able to clone a phone, but that's still not clear.

In fact, if security is an important issue for you, there are plenty of better reasons not to use Android.

UPDATE: On Tuesday HTC acknowledged the problem and announced it was working on a patch to be delivered over the air to users.