HTC logging tools allow any app access to user data

HTC Android phone owners beware, large vulnerability on the loose
Kerry Butters
htc-1

HTC’s latest Android/Sense software has a vulnerability which collects user data and allows any app to access it.

The hole was brought to light by Trevor Eckhart and can be found on many of the devices such as the Evo 3D and Thunderbolt, amongst others.

According to Android Police, recent updates to the HTC software included the introduction of a suite of “logging tools” which collect information.

This could be used by the phone company to better understand problems that occur with devices, or enable better remote access.

However, it seems that the suite is not properly secured and doesn’t allow users to opt-in or out of the service.

Additionally, any app that can access “android.permission.INTERNET” can also get hold of a whole host of information on the phone’s user.

This includes accounts, email addresses, GPS locations, phone numbers, text messaging data and system logs.

This means that any app that requests permissions to access the internet on the device can also, if it wanted to, get this information.

Android Police also found that any app could also access all of a phone’s information, such as memory and CPU and IP address.

This, they say, makes it “theoretically possible to clone a device using only a small subset of the information leaked.”

Considering the huge rise in malware which has been created for the Android market recently, this would seem to be a glaring error by HTC which needs to be very quickly sorted out.

The problem lies with the HtcLoggers.apk app which has an interface that requires no login or password.

However, AP believe that this is just the “tip of the iceberg” as they have only just begun to look into what other services installed on the phones might be capable of.

They also say that note that only the stock Sense firmware is affected.

Phones currently thought to be affected include: Evo 3D and 4G; Thunderbolt; Evo Shift 4G; MyTouch 4G Slide, some Sensations and the new Vigor. Of course, most of these are US handsets, but there are certainly some in the UK, such as the recently released Evo 3D and Sensation.

Whilst it’s quite possible that other models are also affected, these are yet to be tested and confirmed.

Download the free Techwatch PDF eMagazine

Issue 2: April 2012

The month's news in brief, with feature news, and the following features:

  • Parental software controls
  • HDTV: 2012 and beyond
  • The best free office software
  • Retrotech: the Commodore 64

Download: Issue 2: April 2012




Post a comment

Your email address will not be published. Required fields are marked *

*

Visited 1308 times, 2 so far today