Mobile
News
10/4/2011
12:06 PM
Connect Directly
RSS
E-Mail
50%
50%

HTC Preps Emergency Patch For Android Phones

Until the over-the-air fix for data leakage problem gets distributed, HTC recommends that users avoid using applications from untrusted sources.

10 Companies Driving Mobile Security
10 Companies Driving Mobile Security
(click image for larger view and for slideshow)
HTC confirmed Tuesday third-party reports that a data-leakage vulnerability exists in some smartphone models that it manufactures, and said it's working on a fix. "In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers' data, there is a vulnerability that could potentially be exploited by a malicious third-party application," said HTC in a statement.

"Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it," said HTC. According to the company, it's "working very diligently to quickly release a security update that will resolve the issue on affected devices."

The patch will address a vulnerability in the HTC Sense UI (user interface), which is HTC's customized skin that adds functionality on top of the vanilla Android operating system. The HTC Sense UI flaw is due to the presence of a file, HTCLogger.apk, that collects a variety of data points. The data appears to be collected for development, customer support, and troubleshooting purposes.

[The mobile security landscape is changing. Learn more: Mobile Security's Future: 4 Expert Predictions.]

But security researcher Trevor Eckhart discovered that any application with Internet access permission could access HTCLogger.apk. Accordingly, an attacker could create a rogue application to access the log file, obtaining everything from recently used phone numbers and email addresses, to SMS messages--encrypted, said Eckhart, but potentially able to be decrypted--and recent GPS coordinates.

It's unknown exactly how many HTC smartphones are affected. But numerous models, including the EVO, MyTouch, some models of Sensation, and ThunderBolt use the HTC Sense UI.

In its statement, HTC stressed that an attacker would have to create a malicious application to exploit the vulnerability, and thus recommended users beware using applications from untrusted sources, especially before a fix gets released. "So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability," said HTC.

HTC also noted that "a third-party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws." But that seems to miss the point: outlawing smartphone exploits hasn't curbed criminal outreach. Indeed, according to a study released in May 2011, the volume of malware targeting Android devices had increased by 400% since summer 2010. Meanwhile, security researchers expect the amount of malware seen by the end of 2011 to have doubled in quantity.

Two security researchers, writing in Android Police, had verified the HTC Sense UI vulnerability, and sounded an alarm over the "huge amount of data" being collected, noting that the text-only log file on an EVO 3D ran to 3.5 MB.

Android Police co-founder Artem Russakovskii said Tuesday that it remains unclear whether HTC's fix will paper over that data-collection practice. "While I applaud HTC's desire to fix the situation quickly, I do have to wonder whether the patch will simply apply some sort of an authentication scheme to the service while letting it continue collecting the same kind of sensitive data to be potentially reported back to HTC or carriers," he said. In addition, he said that HTC still hadn't addressed security researchers' concerns about other services running on its Android smartphones, such as the Android VNC server remote access tool.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
ANON1237825497586
50%
50%
ANON1237825497586,
User Rank: Apprentice
10/4/2011 | 5:42:38 PM
re: HTC Preps Emergency Patch For Android Phones
LOL! Android, still the most ripped off OS in history, simply a POS.
WZ000
50%
50%
WZ000,
User Rank: Apprentice
10/5/2011 | 8:01:42 PM
re: HTC Preps Emergency Patch For Android Phones
lol ok? and i assume ur an apple queer,
jojo123
50%
50%
jojo123,
User Rank: Apprentice
10/6/2011 | 7:31:31 PM
re: HTC Preps Emergency Patch For Android Phones
First off all iPhone users are queers, and there more vulnurable from apple exploiting there data than android users having to worry about their data being exploited. And the apple os is mostly used by simple people lol with no skills in programming or development who would rather their cell tell them what to do and how to do it. Personally I'd rather be able to somewhat simply do my own software dev on my phone which android allows me to do.

Second Why is this being released now publicly? The gingebread test builds have all had these HTC loggers.apk all 7 signed test builds have them and everyone testing it should of known what it did. I'm a novice user and had a full comprehension of the included .apks and there advanced functions. Oh btw gsd.apk does the same thing and yet that was conveniently left out of the publics eyes... these apks have been out in the test builds for the last 5 months.

Third.. screw Verizon and HTC do any of you really believe there honestly testing these releases well before release? I mean come on 7 signed test builds and they couldn't figure out data, lockscreen, radio problems and not to mention no standard voicemail notifications ? All these issues were present in all 7 signed test releases prior to the ota (over the air update) and none of the issues ever got fixed. I'll tell you what did get fixed.. it was the garbage bloatware they fixed and added in every test build not the os bugs itself.

Look. S-off your devices and start building your own custom os from android don't just use what they give you on the phones. Also a lot of your custom roms will include the aformentioned apks because the devs were noobs. Learn your android os people
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.