Mobile // Mobile Devices
05:25 PM
Connect Directly

HTC Android Bug Exposes Key Data

A vulnerability in HTC Android software of recent vintage could allow a malicious app with ordinary permissions to gain access to extensive logging information about the phone.

As demonstrated in a video of the vulnerability posted by Eckhart (see below), HTC provides an opt-out during phone setup for the Tell HTC logging feature, but it makes no difference. Even if the user opts out, the data is still logged and available to a malicious app.

Eckhart also points out that all of this could be done in a background thread, allowing a malicious app to gather the data and send it to a remote Web site without the user noticing.

The blog includes this list of information disclosed in the logs:

  • Active notifications in the notification bar, including notification text.
  • Build number, bootloader version, radio version, kernel version.
  • Network info, including IP addresses.
  • Full memory info.
  • CPU info.
  • File system info and free space on each partition.
  • Running processes.
  • Current snapshot/stacktrace of not only every running process but every running thread.
  • List of installed apps, including permissions used, user ids, versions, and more.
  • System properties/variables.
  • Currently active broadcast listeners and history of past broadcasts received.
  • Currently active content providers.
  • Battery info and status, including charging/wake lock history.

It's interesting to techies and it shouldn't be disclosed, but what could an attacker do with most of it? The mass of information looks more threatening than it really is for most users.

Some private data from communications is there, but a lot of the most private data, such as passwords, does not appear to be. Nor are the contents of your actual data files. In theory you might be able to clone a phone, but that's still not clear.

In fact, if security is an important issue for you, there are plenty of better reasons not to use Android.

UPDATE: On Tuesday HTC acknowledged the problem and announced it was working on a patch to be delivered over the air to users.

2 of 2
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of October 9, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll