• Categories

  • Archives

    « Home

    Android Police: Massive Security Vulnerability In HTC Android Devices

    Android Police reports on a security problem that leaves vulnerable the personal data of users of HTC’s Android software-using smartphones. (The Android Police report is quite technical; get the highlights in this Wired story.)

    In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. […]

    What Trevor found is only the tip of the iceberg – we are all still digging deeper – but currently any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:

    • the list of user accounts, including email addresses and sync status for each
    • last known network and GPS locations and a limited previous history of locations
    • phone numbers from the phone log
    • SMS data, including phone numbers and encoded text (not sure yet if it’s possible to decode it, but very likely)
    • system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info

    Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the Market that only asks for the INTERNET permission (to submit scores online, for example), you don’t expect it to read your phone log or list of emails. […]

    I’d like to reiterate that the only reason the data is leaking left and right is because HTC set their snooping environment up this way. It’s like leaving your keys under the mat and expecting nobody who finds them to unlock the door.

    Leave a Reply