HTC blows biggest security hole ever in its own phones

One app collects private data and hands it out, another gives strangers remote control

It seems as if every Android app wants access to every bit of data you ever touch or think about while carrying your phone, but a recent update to the firmware for its Android phones carries HTC's definition of "everything" beyond boundaries even Apple had (mostly) obeyed.

In a series of small updates to some of its Android smartphones, HTC has added a function called the HTC Logger that gives most apps access to the list of user accounts on the phone, GPS locations, SMS phone numbers and possibly keys to crack its encryption and almost any system log on the phone.

That's according to researchers at – which broke the story in April that Skype's Android client tore a big hole in the security envelope of the average Android phone, until Skype scotch-taped it back up again.

Updates deliver an app called HtcLoggers.apk that collects nearly all the relevant data, stashes it in one accessible place and gives it to any app to which the owner has given permission to access the Internet.

Since nearly every app uses Internet connections either to collect news, weather or other data for display on the phone, get updates and patches for itself, almost any application on the phone is able not only to access the data, but use an Internet connection to broadcast it back to its specific home, according to Android police.

HTC has also been including an app called androidvncserver.apk, which acts as the client for a virtual network connection – a remote-control, remote-access connection – that could provide an avenue for almost any HTC Android phone to be taken over and controlled remotely.

The list of logs, bits of information and unsecured access to sources of information is stupidly long and complicated.

It's also a very popular topic on Android forums, where some users like the idea of the VNC, but mainly as a way for them to get access to the machine remotely, if they're already rooted.

Most don't seem to realize the same permission that gives the VNC the right to connect to the Internet provides an almost open door back into the phone as well.

With the permission labeled android.permission.INTERNET , an app can track you, read you emails, bills, secret encrypted passwords, the store-loyalty discount card numbers and credit card numbers, tokens, certificates and cookies from bank or financial institutions, and presumably, if you spit too much while you talk and get the mic all slobbery, your DNA profile as well.

HTC isn't saying what the apps are collecting, why it included them or what it plans to do with them, according to TheRegister, to whose questions it responded with a canned statement that it is "taking its customers' security seriously."

Since there are also a lot of apps on the Android Market designed to give remote access from the phone to personal PCs or to act as remote controls for Media Center PCs from the phone, those machines, presumably, are also vulnerable to apps given a single permission on a totally separate device.

HTC got the notice a week ago and hasn't taken customers' security seriously enough so far either to have the apps removed or explain what they're doing there in the first place.

Nice, nice work, HTC.

It takes a lot to be more Big Brotherish and less security than Apple is with iOS, but putting in a special app to package up all the private data in one convenient spot and putting in an uncontrolled remote-access function the owner doesn't know about and has no way short of rooting to cut out? Very nice work.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon