A vulnerability in HTC Android software of recent vintage could allow a malicious app with ordinary permissions to gain access to extensive logging information about the phone.
As demonstrated in a video of the vulnerability posted by Eckhart (see below), HTC provides an opt-out during phone setup for the Tell HTC logging feature, but it makes no difference. Even if the user opts out, the data is still logged and available to a malicious app.
Eckhart also points out that all of this could be done in a background thread, allowing a malicious app to gather the data and send it to a remote Web site without the user noticing.
The blog includes this list of information disclosed in the logs:
Active notifications in the notification bar, including notification text.
Build number, bootloader version, radio version, kernel version.
Network info, including IP addresses.
Full memory info.
File system info and free space on each partition.
Current snapshot/stacktrace of not only every running process but every running thread.
List of installed apps, including permissions used, user ids, versions, and more.
Currently active broadcast listeners and history of past broadcasts received.
Currently active content providers.
Battery info and status, including charging/wake lock history.
It's interesting to techies and it shouldn't be disclosed, but what could an attacker do with most of it? The mass of information looks more threatening than it really is for most users.
Some private data from communications is there, but a lot of the most private data, such as passwords, does not appear to be. Nor are the contents of your actual data files. In theory you might be able to clone a phone, but that's still not clear.
In fact, if security is an important issue for you, there are plenty of better reasons not to use Android.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Join us for a roundup of the top stories on InformationWeek.com for the week of April 24, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week!