HTC Android 'massive security' flaw leaks private info like a sieve

The Android Police blog reported on a "massive security vulnerability in HTC Android devices." How bad is it? Pretty bad if you value your privacy; any application that has permission to access the Internet can also gain almost all data on the mobile phone. Then the captured information has permission to be sent to a remote server without your knowledge. This is due to the "snooping environment" modifications HTC made to the Android operating system. For the technically challenged, the researchers summed it up as, "It's like leaving your keys under the mat and expecting nobody who finds them to unlock the door."

Researchers Trevor Eckhart, Artem Russakouskii and Justin Case said the vulnerability affects HTC EVO 3D, EVO 4G, Thunderbolt, EVO Shift 4G, MyTouch 4G Slide, some of the Sensation line, and perhaps the upcoming line of Vigor as well as others that are not yet verified. Eckhart created a proof of concept app that requested "a single Internet permission" yet gained access to cough up almost all the smartphone data. "Only stock Sense firmware is affected - if you're running an AOSP-based ROM like CyanogenMod, you are safe."

Here is part of the 3.5MB log file data that any app with Internet access can capture:

• GPS locations
• IP addresses, WiFi state and other network information
• Email addresses
• SMS messages
• Call log phone numbers
• List of installed apps, permissions used, user IDs, and versions
• Detailed system information like running processes, memory and CPU data, bootloader and kernel versions, and charging/wake battery status

In theory, the leaked data may be enough "to clone a device." The researchers added, "Who knows what and who can trigger it and potentially get access to your phone remotely?"

The HTCLogger that collects the info seems to have been intended as a way for developers to get detailed data for troubleshooting, but the researchers sounded a bit ticked about this security and privacy vulnerability. "Whatever the reason was, whether for better understanding problems on users' devices, easier remote analysis, corporate evilness - it doesn't matter," Russakouskii wrote. "If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in." Russakouskii added that when you install an "innocent-looking new game" from the Android Market "that only asks for the INTERNET permission (to submit scores online, for example), you don't expect it to read your phone log or list of emails."

Like so many companies, HTC's statement claims to take "our customers' security very seriously." If that is true, then why is it setup to leak private info like a sieve? Perhaps HTC was otherwise occupied with getting the US International Trade Commission to investigate HTC's claim of Apple infringing its patents?

It is interesting to note that HTC did not respond to Eckhart's vulnerability disclosure for five business days and that is when the vulnerability info was released to the public. The Android Police blog said, "HTC, you got yourself into this mess, and it's now up to you to climb out of the hole as fast as possible, in your own interest."

Now HTC said, "We are working to investigate this claim as quickly as possible. We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken."

Until HTC patches the vulnerability, the Android Police reported that users with rooted HTC mobile phones can manually delete the logging tool found at /system/app/HtcLoggers.apk.  Researchers advise users to avoid downloading any "suspicious apps" that might exploit this security flaw. To learn more about the HTC vulnerability or to download the open-source proof of concept and run the APK, and therefore determine if your HTC can be exploited, read the Android Police.