News of HTC's massive security leak spread through the Android community like wildfire over the weekend, causing many US users of the popular Taiwanese smartphones to wonder just how much of their personal information was leaking online. Naturally, HTC has gone into full damage control mode and promises a complete patch shortly. While HTC's press release does admit the data vulnerability does represent a massive compromisation of user privacy, they stress that the hole came to light before any malicious software could exploit the vulnerability and that there are no currently know customers who's data was stolen using the security hole. Full press release after the jump.
HTC press release:
HTC takes claims related to the security of our products very seriously. In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers' data, there is a vulnerability that could potentially be exploited by a malicious third-party application. A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability.
HTC is working very diligently to quickly release a security update that will resolve the issue on affected devices. Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it. We urge all users to install the update promptly. During this time, as always, we strongly urge customers to use caution when downloading, using, installing and updating applications from untrusted sources.
HTC's latest updates have included a slew of logging tools, designed to allow HTC to better track their users habits and use styles. Normally companies adding this kind of tracking possibility designed for internal use take great pains to make sure the data stays in the hands of those it is intended for. However, it looks like HTC has failed to maintain their due diligence and left critical information unencrypted on all of their Android handsets.
Currently, any app that required the android.permission.INTERNET ( in other words virtually all apps in the marketplace) can gain access to information including:
A list of user accounts and associated sync statuses
A list of frequented networks, GPS locations and associated movement history
phone numbers from the call log
Texting data, including phone numbers and text content
system logs (both kernel/dmesg and app/logcat) and, according to Androidpolice enough information to possibly remotely clone a handset.
The laundry list is extensive and it's hard to say, which possibility is more concerning. Currently, effected HTC handsets include: EVO 4G, EVO 3D, Thunderbolt, EVO Shift 4G, and MyTouch 4G Slide, though it is highly probable that other models running similar builds will be effected as well.
Until the patch is released, there is no fix for the security hole that does not require root access to your phone. So for all those HTC customers concerned about security, until the patch is released be careful what you download from the app store. For a demonstration of the HTC security vulnerability check out the video below.