'Massive Security Vulnerability' in HTC Android Phones Claimed

[nsane.forums]

HTC apparently modified Android in a way that leaves some models of its phones open to hacks and data theft, researchers reveal.

Security researchers say they've uncovered a flaw in several smartphone models produced by HTC that gives any application that has Internet access the keys to a trove of information on the phone, including e-mail addresses, GPS locations, phone numbers, and text message data.

Phone models claimed to be affected by the vulnerability are the EVO 3D, EVO 4G, Thunderbolt, and possibly HTC's Sensation line. The researchers, Trevor Eckhart, Artem Russakouskii, and Justin Case, say they informed HTC of the vulnerability on September 24, but after HTC failed to respond to their warning for five days, they went public with their knowledge on Friday.

The security gap in the HTC phones stems from modifications the company made in versions of the Android operating system in EVO and Thunderbolt models. Those changes add a suite of logging tools to the system. "If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in," Russakouskii wrote yesterday at the Android Police website.

That's not the case here, he notes. The modifications made to Android by HTC allow any application that you give permission to access the Internet from the phone access to a plethora of sensitive information on the device. What's more, it also has permission to send the data that it finds wherever it wants on the Net without your knowledge. "Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the [Android] Market that only asks for the INTERNET permission (to submit scores online, for example), you don't expect it to read your phone log or list of e-mails," Russakouskii explains.

He compares the vulnerability to leaving the keys to your house under the welcome mat and not expecting anyone to find them.

Data that can be peeked at by any app with Internet access include:

• E-mail addresses
• Last known network and GPS locations.
• Phone numbers from phone logs.
• SMS data, including phone numbers and encoded text.
• System logs, which track everything your apps do, such as logging into secure locations.
• System information such as onboard memory, CPU data, running processes and list of installed apps, including permissions they use and your user IDs for them.

In addition to the logger suite, Russakouskii notes, HTC has further modified Android with the addition of something named androidvncserver.apk. While the addition of that app, which is designed to give third parties remote access to a phone, might end up being insignificant, he did find it "suspicious." "The app doesn't get started by default, but who knows what and who can trigger it and potentially get access to your phone remotely?" he asks.

According to Eckhart, there's no way at this time to patch the vulnerability without jailbreaking the phone, which, of course, will void the warranty. If you do hack the phone's OS, you can remove HTC's logger suite, htcloggers.apk, found in /system/app/.

This latest vulnerability exposes the problems that can occur in an open source environment like Android. While it allows phone makers and application developers to make creative changes to the basic system, it can also open the door to abuse of a phone owner's data.

View: Original Article

[Hottwire]

Glad I have a basic HTC Wildfire then but even so I've got cyanogenmod on it so I don't think I would be affected :)

[DKT27]

HTC confirms security issue with Android app

Over the weekend, some folks discovered that a big security hole in HTC's Android-based smartphones could allow any app that uses Android's INTERNET permission to access a number of private user information from that smartphone. Now Engadget has received word from HTC that is is aware of the issue and is working on a solution to fix the security hole.

The issue is apparently related to a recent HTC update that added a suite of logging tools, called HtcLoggers, to a number of Android-based smartphones. The tools collect private user info from the affected phones including location, user accounts, phone numbers, system logs and more. In HTC's statement, it said, "In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers' data, there is a vulnerability that could potentially be exploited by a malicious third-party application."

While HTC said there is no evidence that any third party app is in fact being accessed by a malware program with this issue, it added that it is working to fix the issue quickly. The statement said, "Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it. We urge all users to install the update promptly." In the meantime HTC Android-based owners should be careful when downloading and installing apps "from untrusted sources." HTC gave no indication of when this over-the-air security update will be released.

View: Original Article