HTC Scrambles to Fix Android Smartphone Flaws
Oct 5, 2011 5:00 AM PT
In an effort to mollify widespread concerns over security vulnerabilities in its Android smartphones, HTC has stated that it's working hard on a security update to resolve the problem.
The vulnerability was due to logging tools HTC introduced when updating its smartphones, the Android Police blog stated.
These tools apparently collect information such as a list of user accounts, phone numbers from the phone log, SMS data and system logs.
Further, network information, CPU information, and detailed information on processes running and on installed apps is exposed.
The software does no harm to customers' data, according to HTC's public relations agency, Waggener Edstrom, but there is a vulnerability that could potentially be exploited by a malicious third-party application.
HTC is working on a security patch that will first be sent to carrier partners for testing and then sent over the air to customers to download and install.
"It would appear that a few HTC phones contain a logging mechanism that exposes sensitive user data to an app that requests only permission to access the Internet," Tim Wyatt, principal security engineer for Lookout Mobile Security, told TechNewsWorld.
"HTC is aware of the issue but has not announced how or when they intend to address it," Wyatt continued.
It's All In The Timing
Speed is of the essence in resolving this issue, as the vulnerabilities appear to be extremely dangerous.
In a previous discussion with TechNewsWorld on mobile security, Trusteer CEO Mickey Boodaei said that Google and Apple should be able to react very quickly to new vulnerabilities and attacks in the field.
That speaks to the situation with the HTC smartphones as well.
An app requesting a single "android.permission.Internet" gains access to a multiplicity of data, according to Trevor Eckhart, who discovered the vulnerabilities. Theoretically, it may be possible to clone a device using only some of the data an app gathers in response to a single "android.permission.Internet" request.
Android offers security through a permission mechanism that restricts what operations a particular process can perform.
The "android.permission.Internet" request is normal for any app that connects to the Web or shows ads, the Android Police blog said.
"This is another reminder that our mobile phones are computers too," Lookout's Wyatt said. "As we build apps, create custom firmware or make changes to the OS, everyone in the mobile ecosystem needs to take the proper precautions to confirm information accessed on these devices is used and stored securely."
Don't Worry, Be Happy
HTC's attempt to gather information on what owners of its devices are doing is not unusual. Carriers use such information to better monetize their services. However, the problem may lie in the tools it created and loaded onto its smartphones.
The company's advice to owners of its smartphones is to use caution when downloading, using, installing and updating applications from untrusted sources.
It also points out that third party malware apps exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws, though that may not be much of a deterent to hackers.
HTC said that it has not learned of any owners of its smartphones having had their devices hacked so far.
What can smartphone device owners do to protect themselves?
Like other mobile security vendors, Lookout suggests users set a password, download a security app, use discretion when downloading apps and make sure they only download apps from sites they trust.