updated 12:50 pm EDT, Sun October 2, 2011
HTC may slip personal, device data in major bug
An investigation may have revealed a major security exploit in HTC's Android phones. The look, by Android Police and custom firmware maker Trevor Eckhart, alleges that HTC's most recent custom Sense UI interface has logging tools such as HTCLogger that insecurely collect private data. Any app that requires basic Internet permission can technically have access to account information, phone numbers, text messages, and even precise device information such as processor and memory details, installed apps, and location.
The logging tools themselves have their own extensive command systems, but no login checks. They use root-level privileges to try and send out certain kinds of features, the researchers checked. HTC even has a VNC client in its installs that could theoretically be used to remotely access the phone itself if the device was compromised.
Phones known to include the code in question are headlining phones such as the Evo 3D, Evo 4G, and Thunderbolt. Other phones, such as the myTouch 4G Slide, the Sensation, and even future phones like the Vigor, might also be susceptible.
HTC was reportedly contacted about the flaw more than a week ago to privately disclose the problems before an attempt but hasn't responded so far. It may be investigating the issue but hasn't confirmed this.
While it remains possible that the actual susceptibility of the logs to the attack is being overstated, the discovery if substantiated could leave a large portion of Android itself open to privacy violations. Google itself tends to require consent before information leaves a device, but its willingness to let third parties customize the underlying code lets its hardware partners potentially create security exploits and privacy concerns that didn't exist before. Apple doesn't offer freedom to customize the code on iOS but, as it controls the whole process, also can't be undermined by a third party.