HTC Android Bug Exposes Key Data - InformationWeek
Mobile // Mobile Devices
05:25 PM
Connect Directly

HTC Android Bug Exposes Key Data

A vulnerability in HTC Android software of recent vintage could allow a malicious app with ordinary permissions to gain access to extensive logging information about the phone.

As demonstrated in a video of the vulnerability posted by Eckhart (see below), HTC provides an opt-out during phone setup for the Tell HTC logging feature, but it makes no difference. Even if the user opts out, the data is still logged and available to a malicious app.

Eckhart also points out that all of this could be done in a background thread, allowing a malicious app to gather the data and send it to a remote Web site without the user noticing.

The blog includes this list of information disclosed in the logs:

  • Active notifications in the notification bar, including notification text.
  • Build number, bootloader version, radio version, kernel version.
  • Network info, including IP addresses.
  • Full memory info.
  • CPU info.
  • File system info and free space on each partition.
  • Running processes.
  • Current snapshot/stacktrace of not only every running process but every running thread.
  • List of installed apps, including permissions used, user ids, versions, and more.
  • System properties/variables.
  • Currently active broadcast listeners and history of past broadcasts received.
  • Currently active content providers.
  • Battery info and status, including charging/wake lock history.

It's interesting to techies and it shouldn't be disclosed, but what could an attacker do with most of it? The mass of information looks more threatening than it really is for most users.

Some private data from communications is there, but a lot of the most private data, such as passwords, does not appear to be. Nor are the contents of your actual data files. In theory you might be able to clone a phone, but that's still not clear.

In fact, if security is an important issue for you, there are plenty of better reasons not to use Android.

UPDATE: On Tuesday HTC acknowledged the problem and announced it was working on a patch to be delivered over the air to users.

2 of 2
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll