HTC’s skinned version of Android contains a serious security flaw which allows any application access to a huge trove of your personal information, according to mobile blog Android Police.
HTC’s proprietary Sense software — which runs on the company’s EVO 4G and Thunderbolt smartphones, amongst others — contains almost everything that happens on your phone in a data file, including GPS location information, phone numbers, SMS data (plain numbers and encoded text), and more. Any app can get access to this data simply through a permissions request.
The problem is due to logging tools that HTC recently added, which gather a huge amount of personal info and usage data. HTC hasn’t provided a reason for adding the tools.
Here’s the process, as described by Android Police:
any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on [the data.]
Worryingly, there is an off-by-default VNC server included in the OS. This could possibly allow remote access, according to Artem Russakovski at Android Police.
Out of all the currently available mobile operating systems, security issues and exploits plague Android the most by far. Because applications submitted to the Android Market are not vetted by Google in advance, malware and insecure applications have a far greater chance of slipping in undetected. In August, McAfee released a report citing Android as the “most attacked operating system,” with Android mobile malware attacks jumping 76 percent in a three month period. In May, the popular Skype app for Android was also discovered to contain a security vulnerability, which could allow malicious apps access to personal data.
But as Android Police says, the Skype loophole pales in comparison to HTC’s security issues. Whereas Apple could deploy a quick fix just a week after its GPS-gate affair (which was little more than location data being cached in the iPhone and not being encrypted during backups), Android OS updates are notoriously slow to roll out. Because the carrier takes care of the updates, it can be months before they are pushed to customers, if at all.
Tech savvy users can root their phones and remove the HTCloggers apk file. The majority of Android users will have to wait for this update.
Massive Security Vulnerability In HTC Android Devices Exposes Phone Numbers, GPS, SMS, Email Addresses [Android Police]
See Also:
Authors: