A security hole has been detected in some of HTC’s Android smartphones that allows apps with Internet connectivity access to GPS location, email addresses, contact details and text messages. The smartphones under the scanner are EVO 3D, EVO 4G, Thunderbolt and possibly even the Sensation range.
“In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users' devices, easier remote analysis, corporate evilness - it doesn't matter. If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in.”, says Artem Russakovskii. He along with Trevor Eckhart and Justin Case revealed this on the website AndroidPolice.com
The vulnerability has been detected in the HTC Sense UI package, and pinpointed to the HTCLoggers.apk package. Apps can access this package, retrieve the sensitive data, and upload it to their remote server. For more, see the video below.
At the moment, there is no way of getting rid of this issue, unless HTC rolls out an update. It isn't really a matter of when, and not if. Or users can root their phones and get the ability to delete the vulnerable package from the device.
This exposes the ugly side to the open source environment, something Android falls in. Allowing developers and phone makers to make changes to the software does increase the chances of compromise of the sensitive user data on the phone.
HTC is looking into the issue, and has announced:"HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken."
No comments:
Post a Comment