HTC phone update opens huge Android OS security leak

HTC, makers of many modern Android phones, introduced a giant security hole with a recent update. How big is this hole? Big enough to leak users accounts, email addresses, GPS locations, and system logs.

An exhaustive report on the site Android Police appeared October 1 about the work of security researcher Trevor Eckhart. Screenshots abound, as well as a list of phones affected by the security hole. Any app with Internet access can read, copy, and export critical log files full of information that should be kept secure.

Yes, HTC was notified. No, they didn't respond or take any action whatsoever. After waiting, Eckhart put the word of this security snafu out into the world. HTC has released a statement now, but has yet to explain the lack of security for their HTClogger.apk program, and how they plan to patch their serious vulnerability.

Yes, it's serious

even someone like me with only two weeks of android programming experience can coded something up to send out the data in question.

Tony on androidpolice.com

Will be interesting to see the list of apps that accessed that port.

David B on blogs.computerworld.com

Looks like a debugging and logging service. I bet this can also be used remotely. Did you try connecting from remote to the phone? If my assumption is correct the service will have all access :S

Janne on androidpolice.com

Shame on HTC

Another reason why OEM should get the f*ck out of customizing the stock OS. They just make it more complicated to make Android devices secure.

PixelSlave on androidpolice.com

Sorry, but this is an order of magnitude worse than Apple's location storing - which at least had a sensible purpose behind it.

cloudgazer on theregister.co.uk

Shocking from HTC.... this could affect the sale of their future devices....has this test been performed on Samsung devices?

Zani on androidpolice.com

You cant blame this on Android. This is completly HTCs fault.

Flynny on androidpolice.com

Fixes

The problem is not so much how quickly HTC fix the problem, it's how glacially carriers provide updates. This hole will remain open on many phones for a very long time. Some just wont update.

ScaredyCat on androidpolice.com

Because this being the highly-customisable and generally open Android platform, all you have to do is delete or block the offending app.

Jedit on theregister.co.uk

Interesting, fortunately for me, htclogger.apk is one of the first files I removed when clearing out the junk on my Evo 4g after I updated it. I just didn't like the sound of its name. And once removed it seemed to have no adverse effect on how the phone works.

wfrandy on androidpolice.com

Do you think manufacturers put these types of programs in with so little testing because they're A) incompetent or B) malicious?

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies