We have to love their name: the Android Police. They have discovered a problem with HTC phones where personal data can be exposed to any app that accesses the internet. (yikes!)
The devices affected are believed to be the EVO 3D, some Sensations and the upcoming Vigor.
The Android Police state, “The vulnerability, discovered by the crew at Android Police, potentially exposes a broad range of private user data, including email addresses, GPS locations and phone numbers.
The security hole appears to be a residual consequence of HTC’s latest update to the phones, which recently received a new logging tool and seems to be where the problem first showed up.”
The problem occurs in any app that connects to the Internet, specifically ones that send out the android.permission.INTERNET. We understand this is SOP for most any app that uses the web. With the HTC security problem, apps that send out such a request may have access but not be limited to the following:
- List of users accounts, email addresses and sync status for each address
- Last recorded network and GPS location, and a short list of previous such locations
- Phone numbers from the phone log
- SMS data, including phone numbers and encoded texts
- System logs (which may give access to additional personal data)
The reported fix is to “root your phone and manually remove the “APK” file that logs all your actions. Unfortunately, rooting is a process that can be difficult for users who aren’t familiar with the process.” Because of the serious nature of this problem, it is believed that HTC will be releasing a fix patch soon, but in the meantime, be very careful of what apps are used or downloaded as this can expose your data.
Here’s what we have gathered as quoted from HTC:
- There’s a big security problem with its phones that lets third-party apps access your personal data.
- However HTC has communicated that it is already dealing with the problem.
- “There is a vulnerability that could potentially be exploited by a malicious third-party application.”
- HTC says it’s working on a patch that will fix the problem, soon to be made available over the air after a short testing period. In the meantime, the company advises “caution when downloading, using, installing and updating applications from untrusted sources.”
- HTC is at pains to make clear that the logging software it installed “does no harm to customers’ data”. “So far,” the statement continues, “we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability.”
Here is the HTC statement in full:
“HTC takes claims related to the security of our products very seriously. In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers’ data, there is a vulnerability that could potentially be exploited by a malicious third-party application. A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability.
HTC is working very diligently to quickly release a security update that will resolve the issue on affected devices. Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it. We urge all users to install the update promptly. During this time, as always, we strongly urge customers to use caution when downloading, using, installing and updating applications from untrusted sources.”
No release date has yet been announced by HTC but they are working on the patch and users will soon hear from them. Stay tuned…