Mobile
News
10/3/2011
12:23 PM
Connect Directly
RSS
E-Mail
50%
50%

HTC Android Flaw Leaks Smartphone User Data

HTC investigating vulnerability that leaves smartphones open to having email address, GPS coordinates stolen by rogue apps.

10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
Multiple models of HTC smartphones running Android have a vulnerability that could be exploited by a malicious application to steal user data, including a person's GPS location, SMS data, and phone numbers.

In particular, any application granted Internet permission can access the HTCLoggers.apk file, which records numerous user-related data points. The risk is that a rogue app, if granted Internet-access rights, would be able to access and exfiltrate this sensitive information.

The bug was spotted by security researcher Trevor Eckhart, who demonstrated a proof-of-concept attack in a YouTube video. Eckhart said that he informed HTC of the vulnerability on September 24, but has heard nothing in reply. Per the RFPolicy for responsible disclosure, he waited five business days before publicly disclosing the vulnerability Friday.

[The mobile security landscape is changing. Learn more: Mobile Security's Future: 4 Expert Predictions.]

HTC said Monday it was investigating the bug report. "HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible," according to a statement released by the company. "We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken."

HTCLoggers.apk ships as part of the HTC Sense user interface that runs on many of HTC's Android smartphones, including the EVO 3D, EVO 4G, EVO Shift 4G, and ThunderBolt. According to one development forum, the purpose of HTCLoggers.apk "is to provide logging of various aspects of the device when you're having issues, and help you identify exactly where those issues are occurring."

The HTCLoggers vulnerability has been verified by Android researchers Artem Russakovskii and Justin Case, who published their analysis on Android Police. "It's like leaving your keys under the mat and expecting nobody who finds them to unlock the door," they said of the vulnerability.

Security researchers have said that coding a patch shouldn't be difficult. But a full fix will require HTC to release an update for HTC Sense UI. Until then, Eckhart said the only way to remove HTCLogger is to gain root access to the device and remove HTCLoggers.apk.

In other Android-related vulnerability news, on Friday, BGR disclosed a bug in AT&T's Samsung Galaxy S II security. In particular, the flaw allows someone to bypass an unlock pattern or PIN code and gain access to the device.

"If you have a PIN or an unlock pattern set, all you have to do in order to bypass it is simply tap the lock button to wake the display and then let the screen time out and go black," reported BGR. "Tap the lock button again and low and behold, the unlock screen is gone and the phone can be accessed with no PIN or pattern input whatsoever."

In a joint statement, Samsung and AT&T said that they're investigating the problem, which they characterized as a user interface issue. "Currently, when using a security screen lock on the device, the default setting is for a screen timeout. If a user presses the power button on the device after the timeout period it will always require a password. If a user presses the power button on the phone before the timeout period, the device requests a password--but the password is not actually necessary to unlock it," they said.

Until a permanent fix is available, AT&T Samsung Galaxy S II owners can change their settings to ensure that timeout screens invoke immediately. To do this, go to "Settings ->Location and Security->Screen unlock settings->Timeout->Immediately."

Comment  | 
Print  | 
More Insights
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A UBM Tech Radio episode on the changing economics of Flash storage used in data tiering -- sponsored by Dell.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.