HTC, makers of many modern Android phones, introduced a giant security hole with a recent update. How big is this hole? Big enough to leak users accounts, email addresses, GPS locations, and system logs.
An exhaustive report on the site Android Police appeared October 1 about the work of security researcher Trevor Eckhart. Screenshots abound, as well as a list of phones affected by the security hole. Any app with Internet access can read, copy, and export critical log files full of information that should be kept secure.
Yes, HTC was notified. No, they didn't respond or take any action whatsoever. After waiting, Eckhart put the word of this security snafu out into the world. HTC has released a statement now, but has yet to explain the lack of security for their HTClogger.apk program, and how they plan to patch their serious vulnerability.
Yes, it's serious
even someone like me with only two weeks of android programming experience can coded something up to send out the data in question.Tony on androidpolice.com
Will be interesting to see the list of apps that accessed that port.David B on blogs.computerworld.com
Looks like a debugging and logging service. I bet this can also be used remotely. Did you try connecting from remote to the phone? If my assumption is correct the service will have all access :SJanne on androidpolice.com
Shame on HTC
Another reason why OEM should get the f*ck out of customizing the stock OS. They just make it more complicated to make Android devices secure.PixelSlave on androidpolice.com
Sorry, but this is an order of magnitude worse than Apple's location storing - which at least had a sensible purpose behind it.cloudgazer on theregister.co.uk
Shocking from HTC.... this could affect the sale of their future devices....has this test been performed on Samsung devices?Zani on androidpolice.com
You cant blame this on Android. This is completly HTCs fault.Flynny on androidpolice.com
The problem is not so much how quickly HTC fix the problem, it's how glacially carriers provide updates. This hole will remain open on many phones for a very long time. Some just wont update.ScaredyCat on androidpolice.com
Because this being the highly-customisable and generally open Android platform, all you have to do is delete or block the offending app.Jedit on theregister.co.uk
Interesting, fortunately for me, htclogger.apk is one of the first files I removed when clearing out the junk on my Evo 4g after I updated it. I just didn't like the sound of its name. And once removed it seemed to have no adverse effect on how the phone works.wfrandy on androidpolice.com
Do you think manufacturers put these types of programs in with so little testing because they're A) incompetent or B) malicious?