Monday, October 3, 2011

HTC Android Phones Leak Private User Data

Via Threatpost.com -

There is a serious security issue with a variety of HTC Android phones that enables any app with Internet permissions to access a huge amount of private data on the device, including call logs, email addresses, SMS messages, last known GPS location and more. The problem was introduced via an update to the HTC phones that installed a tool called HTCLogger that collects the data.

The issue was discovered late last week and researchers developed a proof-of-concept app that shows how much data any arbitrary app can access on the affected devices, which include the EVO 4G, EVO3D, Thunderbolt and others. The leak of what should be private data is enabled by the presence of the HTCLogger tool, according to a report on the Android Police site, and any app installed on an affected device that has Internet permissions can then access the data cache via a local port. Many Android apps have the android.permission.INTERNET permission by default.

[...]

HTC did not immediately respond to a request for comment on the issue.

The list of functions and information that the HTCLogger app can access is long, and includes both coarse and fine location data, network information, IP address, WiFi state, detailed data on the OS version and kernel, account information on the device, system logs and other data. The HTC tool was apparently meant as a way for developers to get detailed information about what is causing problems on a device. However, as the Android Police research shows, that data also can be accessed by a long list of other apps and used for other purposes.

The problem only affects HTC Android phones with the stock Sense firmware installed. Users who have rooted their phones may be able to delete the logging tool themselves. The file is located at /system/app/HtcLoggers.apk, according to the Android Police report.


-------------------------------------------------------------------

It would seem that HTC totally screwed up and didn't consider the security impact of their new application development helper tool.

No comments:

Post a Comment