HTC phone update opens huge Android OS security leak

HTC, makers of many modern Android phones, introduced a giant security hole with a recent update. How big is this hole? Big enough to leak users accounts, email addresses, GPS locations, and system logs.

An exhaustive report on the site Android Police appeared October 1 about the work of security researcher Trevor Eckhart. Screenshots abound, as well as a list of phones affected by the security hole. Any app with Internet access can read, copy, and export critical log files full of information that should be kept secure.

Yes, HTC was notified. No, they didn't respond or take any action whatsoever. After waiting, Eckhart put the word of this security snafu out into the world. HTC has released a statement now, but has yet to explain the lack of security for their HTClogger.apk program, and how they plan to patch their serious vulnerability.

Yes, it's serious

even someone like me with only two weeks of android programming experience can coded something up to send out the data in question.

Tony on

Will be interesting to see the list of apps that accessed that port.

David B on

Looks like a debugging and logging service. I bet this can also be used remotely. Did you try connecting from remote to the phone? If my assumption is correct the service will have all access :S

Janne on

Shame on HTC

Another reason why OEM should get the f*ck out of customizing the stock OS. They just make it more complicated to make Android devices secure.

PixelSlave on

Sorry, but this is an order of magnitude worse than Apple's location storing - which at least had a sensible purpose behind it.

cloudgazer on

Shocking from HTC.... this could affect the sale of their future devices....has this test been performed on Samsung devices?

Zani on

You cant blame this on Android. This is completly HTCs fault.

Flynny on


The problem is not so much how quickly HTC fix the problem, it's how glacially carriers provide updates. This hole will remain open on many phones for a very long time. Some just wont update.

ScaredyCat on

Because this being the highly-customisable and generally open Android platform, all you have to do is delete or block the offending app.

Jedit on

Interesting, fortunately for me, htclogger.apk is one of the first files I removed when clearing out the junk on my Evo 4g after I updated it. I just didn't like the sound of its name. And once removed it seemed to have no adverse effect on how the phone works.

wfrandy on

Do you think manufacturers put these types of programs in with so little testing because they're A) incompetent or B) malicious?

ITWorld DealPost: The best in tech deals and discounts.