A major security vulnerability in new HTC handsets running Android has been exposed by Android Police, an Android Web blog.
The hole allows third-party apps to track system logs, e-mails, recent GPS locations, SMS data, phone numbers, running processes, encoded text and more.
According to the Android Police report, a recent HTC logging tool update caused the security hole, affecting devices such as the Thunderbolt, EVO 3D, EVO 4G, some Sensations and others.
Any app used on such a device that asks for permission to access the Internet can then theoretically steal the user's personal files.
Prior to the logging update, the android.permission.INTERNET permission, would only grant an app access to the phone's Internet connection and not any personal information.
Developer Trevor Eckhart, who discovered the vulnerability, informed HTC of his findings on 24 September and received no official response after five working days. Eckhart then decided to go public with the information.
'Frivolous doings'
According to the Android Police, Eckhart's findings expose “ridiculously frivolous doings, which HTC has no one else to blame but itself”.
“If you, as a company, plant these information collectors on a device, you better be sure the information they collect is secured and only available to privileged services or the user, after opting in,” says Android Police.
“Theoretically, it may be possible to clone a device using only a small subset of the information leaked here.”
Android Police says it is not possible to remove the vulnerability without an update from HTC, or rooting the phone oneself and removing the Htcloggers app.
HTC is yet to release an official statement on the issue.
Share
