HTC Android Bug Exposes Key Data

A vulnerability in HTC Android software of recent vintage could allow a malicious app with ordinary permissions to gain access to extensive logging information about the phone.

Larry Seltzer, Contributor

October 3, 2011

3 Min Read

A vulnerability in HTC Android software of recent vintage could allow a malicious app with ordinary permissions to gain access to extensive logging information about the phone, according to a blog entry at Android Police.

HTC customized its Android environment with a feature called Tell HTC, which keeps extensive logs on the phone and sends them to HTC. The feature is turned on by default. Most systems have such agreements these days and the data is used to improve service. The data is, however, extensive and could be used in various attacks, generally identity theft attacks.

The vulnerability was discovered by hacker Trevor Eckhart. Eckhart's proof of concept app shows some of the data recovered:

Eckhart describes the bug as a security elevation bug, but it's better termed an information disclosure bug. The problem is that HTC has made logging information available without appropriate permissions.

The Android Police blog also explains how to root your phone in order to remove the logging application.

When an Android user installs an application, the app presents a list of permissions it requests. At this point the user must judge whether he trusts the application with those permissions. The proof of concept application written by Eckhart requests only "Network communications - full Internet access" permission, which is normal for any application that communicates over the Internet.

As demonstrated in a video of the vulnerability posted by Eckhart (see below), HTC provides an opt-out during phone setup for the Tell HTC logging feature, but it makes no difference. Even if the user opts out, the data is still logged and available to a malicious app.

Eckhart also points out that all of this could be done in a background thread, allowing a malicious app to gather the data and send it to a remote Web site without the user noticing.

The blog includes this list of information disclosed in the logs:

  • Active notifications in the notification bar, including notification text.

  • Build number, bootloader version, radio version, kernel version.

  • Network info, including IP addresses.

  • Full memory info.

  • CPU info.

  • File system info and free space on each partition.

  • Running processes.

  • Current snapshot/stacktrace of not only every running process but every running thread.

  • List of installed apps, including permissions used, user ids, versions, and more.

  • System properties/variables.

  • Currently active broadcast listeners and history of past broadcasts received.

  • Currently active content providers.

  • Battery info and status, including charging/wake lock history.

It's interesting to techies and it shouldn't be disclosed, but what could an attacker do with most of it? The mass of information looks more threatening than it really is for most users.

Some private data from communications is there, but a lot of the most private data, such as passwords, does not appear to be. Nor are the contents of your actual data files. In theory you might be able to clone a phone, but that's still not clear.

In fact, if security is an important issue for you, there are plenty of better reasons not to use Android.

UPDATE: On Tuesday HTC acknowledged the problem and announced it was working on a patch to be delivered over the air to users.

Read more about:

20112011

About the Author(s)

Larry Seltzer

Larry Seltzer

Contributor

Follow Larry Seltzer and BYTE on Twitter, Facebook, LinkedIn, and Google+:

See more from Larry Seltzer
Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.
SIGN-UP

You May Also Like

More Insights
Webinars
More Webinars
Reports
More Reports

Editor's Choice

cybercrime abstract with two locks
Cyber Resilience
10 Cyber Incident Response Tips From Those Who've Had a Breach and Lived to Tell About It10 Cyber Incident Response Tips
bySara Peters
May 8, 2024
6 Min Read
DNA (deoxyribonucleic acid) strand, illustration.
Data Management
DNA is an Ancient Form of Data Storage. Is it Also a Radical New Alternative?DNA is an Ancient Form of Data Storage. Is it Also a Radical New Alternative?
byRichard Pallardy
May 7, 2024
15 Min Read
Paul Nakasone, former director of the National Security Agency, and a former commander of US Cyber Command, speaks at the RSA Conference 2024.
Cyber Resilience
Four Horsemen of Cyber Reunite at the RSA ConferenceFour Horsemen of Cyber Reunite at the RSA Conference
byJoao-Pierre S. Ruth
May 9, 2024
6 Min Read
Technologist and author Bruce Schneier addresses the crowd at RSA Conference 2024 about the future impacts of AI on democracy.
Machine Learning & AI
Bruce Schneier: 5 Ways AI Could Shake Up DemocracyBruce Schneier: 5 Ways AI Could Shake Up Democracy
byShane Snider
May 8, 2024
6 Min Read
Business innovative solution and creative concept as a paper boat tied to a light bulb
IT Leadership
9 Ways to Ensure Continuous Innovation9 Ways to Ensure Continuous Innovation
byLisa Morgan
Apr 2, 2024
9 Slides
Webinars
More Webinars
White Papers
More White Papers
Live Events
More Live Events
Reports
More Reports
May 2, 2024
While there are plentiful options in cyber resiliency and business continuity tools and platforms, there isn’t one that can knock out everything from sudden cloud outages to prolonged ransomware attacks in a single punch. What can you do to keep the company on its feet no matter what is thrown at it? Find out in this new virtual event.
Reserve Your Seat Now