A recently discovered security flaw in HTC Android phones could make users' personal data vulnerable. According to reports, the flaw allows most apps to read the personal information in at least some HTC models.
The issue was first brought to light by developer Trevor Eckhart, who was examining the inner workings of software on HTC's EVO 3D, EVO 4G, Thunderbolt and other models. Along with Android experts Artem Russakovskii and a blogger who goes by the pseudonym Justin Case, the team found that HTC has introduced logging tools in recent updates.
The loggers collected a large amount of data about user activity, presumably to monitor performance, provide for remote analysis, or other reasons, although the exact reason for the data collection is unknown.
Emails, Phone Numbers, GPS
The team discovered that the data is not secured, and that any app requesting permission to connect to the web or to show an ad can get access to the collected data. The collected information can include a list of email addresses and other information about user accounts, a history of GPS locations, stored phone numbers, SMS data, and system logs.
Other information that may be exposed includes notifications, IP addresses, system data and logs, information on installed apps, content providers, battery status and other data.
Normal expectations are that an app seeking to connect to the web obtains access only to what is allowed by their request. For example, an app requesting web access would not be able to obtain stored phone numbers.
According to the investigation, virtually any app can gain access to this information, and it could be possible to clone a device using this data. The app also has permission to send this information to anyone on the web, without the user's knowledge. The team said it informed HTC of the issue on Sept. 24, but, after five days with no reply, they went public Friday.
Some observers are suggesting that, although specific HTC models were cited, it is possible a variety of other HTC devices could be affected as well, particularly those running HTC Sense.
'Have To Be on Their Toes'
Russakovskii blames HTC for the vulnerability, contending that the handset maker set up the environment this way. HTC has not yet issued a statement or a fix.
The HTC vulnerability raises questions about the security of Google's open-source Android mobile operating system.
In August, security firm McAfee noted that malware for Android had increased by 76 percent over the previous three months. While the total amount of malware is still smaller than that for, say, Symbian, Android will become a bigger target as Symbian fades out.
Avi Greengart, an analyst with industry research firm Current Analysis, said that "vendors always have to be on their toes" about security issues. He added that the issue appears to "be something wrong about the way HTC is implementing Android" and there is currently no evidence to believe there are fundamental security issues with the platform.