HTC Preps Emergency Patch For Android Phones - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


HTC Preps Emergency Patch For Android Phones

Until the over-the-air fix for data leakage problem gets distributed, HTC recommends that users avoid using applications from untrusted sources.

10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
HTC confirmed Tuesday third-party reports that a data-leakage vulnerability exists in some smartphone models that it manufactures, and said it's working on a fix. "In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers' data, there is a vulnerability that could potentially be exploited by a malicious third-party application," said HTC in a statement.

"Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it," said HTC. According to the company, it's "working very diligently to quickly release a security update that will resolve the issue on affected devices."

The patch will address a vulnerability in the HTC Sense UI (user interface), which is HTC's customized skin that adds functionality on top of the vanilla Android operating system. The HTC Sense UI flaw is due to the presence of a file, HTCLogger.apk, that collects a variety of data points. The data appears to be collected for development, customer support, and troubleshooting purposes.

[The mobile security landscape is changing. Learn more: Mobile Security's Future: 4 Expert Predictions.]

But security researcher Trevor Eckhart discovered that any application with Internet access permission could access HTCLogger.apk. Accordingly, an attacker could create a rogue application to access the log file, obtaining everything from recently used phone numbers and email addresses, to SMS messages--encrypted, said Eckhart, but potentially able to be decrypted--and recent GPS coordinates.

It's unknown exactly how many HTC smartphones are affected. But numerous models, including the EVO, MyTouch, some models of Sensation, and ThunderBolt use the HTC Sense UI.

In its statement, HTC stressed that an attacker would have to create a malicious application to exploit the vulnerability, and thus recommended users beware using applications from untrusted sources, especially before a fix gets released. "So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability," said HTC.

HTC also noted that "a third-party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws." But that seems to miss the point: outlawing smartphone exploits hasn't curbed criminal outreach. Indeed, according to a study released in May 2011, the volume of malware targeting Android devices had increased by 400% since summer 2010. Meanwhile, security researchers expect the amount of malware seen by the end of 2011 to have doubled in quantity.

Two security researchers, writing in Android Police, had verified the HTC Sense UI vulnerability, and sounded an alarm over the "huge amount of data" being collected, noting that the text-only log file on an EVO 3D ran to 3.5 MB.

Android Police co-founder Artem Russakovskii said Tuesday that it remains unclear whether HTC's fix will paper over that data-collection practice. "While I applaud HTC's desire to fix the situation quickly, I do have to wonder whether the patch will simply apply some sort of an authentication scheme to the service while letting it continue collecting the same kind of sensitive data to be potentially reported back to HTC or carriers," he said. In addition, he said that HTC still hadn't addressed security researchers' concerns about other services running on its Android smartphones, such as the Android VNC server remote access tool.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/6/2011 | 7:31:31 PM
re: HTC Preps Emergency Patch For Android Phones
First off all iPhone users are queers, and there more vulnurable from apple exploiting there data than android users having to worry about their data being exploited. And the apple os is mostly used by simple people lol with no skills in programming or development who would rather their cell tell them what to do and how to do it. Personally I'd rather be able to somewhat simply do my own software dev on my phone which android allows me to do.

Second Why is this being released now publicly? The gingebread test builds have all had these HTC loggers.apk all 7 signed test builds have them and everyone testing it should of known what it did. I'm a novice user and had a full comprehension of the included .apks and there advanced functions. Oh btw gsd.apk does the same thing and yet that was conveniently left out of the publics eyes... these apks have been out in the test builds for the last 5 months.

Third.. screw Verizon and HTC do any of you really believe there honestly testing these releases well before release? I mean come on 7 signed test builds and they couldn't figure out data, lockscreen, radio problems and not to mention no standard voicemail notifications ? All these issues were present in all 7 signed test releases prior to the ota (over the air update) and none of the issues ever got fixed. I'll tell you what did get fixed.. it was the garbage bloatware they fixed and added in every test build not the os bugs itself.

Look. S-off your devices and start building your own custom os from android don't just use what they give you on the phones. Also a lot of your custom roms will include the aformentioned apks because the devs were noobs. Learn your android os people
User Rank: Apprentice
10/5/2011 | 8:01:42 PM
re: HTC Preps Emergency Patch For Android Phones
lol ok? and i assume ur an apple queer,
User Rank: Apprentice
10/4/2011 | 5:42:38 PM
re: HTC Preps Emergency Patch For Android Phones
LOL! Android, still the most ripped off OS in history, simply a POS.
Get Your Enterprise Ready for 5G
Mary E. Shacklett, Mary E. Shacklett,  1/14/2020
Modern App Dev: An Enterprise Guide
Cathleen Gagne, Managing Editor, InformationWeek,  1/5/2020
9 Ways to Improve IT and Operational Efficiencies in 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  1/2/2020
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Flash Poll