The guys over at Android Police have discovered a possible flaw in the security of some recently released HTC Devices that could expose a lot of your data to any nefarious developers out there.
Apparently the security issue comes from a tool installed on some HTC Devices called HtcLoggers.apk which was supposed to be used by HTC to improve the overall quality of their phones and also any bugs that may arise (is SenseUI considered a bug?). The issue is that the data collected is not encrypted. So any application that is installed which requires the permission android.permission.INTERNET (which is a fairly basic permission for most applications) can access things like phone numbers from the phone log, SMS data, including phone numbers and encoded text (they’re not sure if the text can be decoded), GPS and Network Location information and a few other things.
After the scandal that hit the iPhone involving location data being kept unencrypted, you’d think that this sort of information would have been locked down as tight as possible but it appears it has been left wide open for seemingly any app developer with ill-intent to utilise.
Most of the phones listed by AndroidPolice are not available in Australia, but the ones that are available are :
- EVO 3D
- some Sensations
At this stage they have been unable to verify exactly which models other than these are affected; further, there are no reports of any malicious apps actually accessing this data, so the time for panic is not yet upon us.
HTC is apparently looking into this, so expect a patch of some sort to come out from them at some stage. Although no ETA has been given, as HTC is still investigating, the guys at Androidandme.com had this quote from HTC :
HTC takes our customers’ security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we’re able to determine the accuracy of the claim and what steps, if any, need to be taken.
If however you have root access to your phone and would like to jump the gun you can remove the file from your phone from here : /system/app/HtcLoggers.apk.
Please note: Playing with your phone’s files is something you should do only if you are supremely confident in doing so, if you have any doubts, please wait for HTC to work their magic.