Mobile // Mobile Devices
News
10/3/2011
05:25 PM
Connect Directly
Twitter
Facebook
Google+
LinkedIn
RSS
E-Mail
50%
50%

HTC Android Bug Exposes Key Data

A vulnerability in HTC Android software of recent vintage could allow a malicious app with ordinary permissions to gain access to extensive logging information about the phone.

As demonstrated in a video of the vulnerability posted by Eckhart (see below), HTC provides an opt-out during phone setup for the Tell HTC logging feature, but it makes no difference. Even if the user opts out, the data is still logged and available to a malicious app.

Eckhart also points out that all of this could be done in a background thread, allowing a malicious app to gather the data and send it to a remote Web site without the user noticing.

The blog includes this list of information disclosed in the logs:

  • Active notifications in the notification bar, including notification text.
  • Build number, bootloader version, radio version, kernel version.
  • Network info, including IP addresses.
  • Full memory info.
  • CPU info.
  • File system info and free space on each partition.
  • Running processes.
  • Current snapshot/stacktrace of not only every running process but every running thread.
  • List of installed apps, including permissions used, user ids, versions, and more.
  • System properties/variables.
  • Currently active broadcast listeners and history of past broadcasts received.
  • Currently active content providers.
  • Battery info and status, including charging/wake lock history.

It's interesting to techies and it shouldn't be disclosed, but what could an attacker do with most of it? The mass of information looks more threatening than it really is for most users.

Some private data from communications is there, but a lot of the most private data, such as passwords, does not appear to be. Nor are the contents of your actual data files. In theory you might be able to clone a phone, but that's still not clear.

In fact, if security is an important issue for you, there are plenty of better reasons not to use Android.

UPDATE: On Tuesday HTC acknowledged the problem and announced it was working on a patch to be delivered over the air to users.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A UBM Tech Radio episode on the changing economics of Flash storage used in data tiering -- sponsored by Dell.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.