HTC blows biggest security hole ever in its own phones

One app collects private data and hands it out, another gives strangers remote control

By  

It seems as if every Android app wants access to every bit of data you ever touch or think about while carrying your phone, but a recent update to the firmware for its Android phones carries HTC's definition of "everything" beyond boundaries even Apple had (mostly) obeyed.

In a series of small updates to some of its Android smartphones, HTC has added a function called the HTC Logger that gives most apps access to the list of user accounts on the phone, GPS locations, SMS phone numbers and possibly keys to crack its encryption and almost any system log on the phone.

That's according to researchers at AndroidPolice.com – which broke the story in April that Skype's Android client tore a big hole in the security envelope of the average Android phone, until Skype scotch-taped it back up again.

Updates deliver an app called HtcLoggers.apk that collects nearly all the relevant data, stashes it in one accessible place and gives it to any app to which the owner has given permission to access the Internet.

Since nearly every app uses Internet connections either to collect news, weather or other data for display on the phone, get updates and patches for itself, almost any application on the phone is able not only to access the data, but use an Internet connection to broadcast it back to its specific home, according to Android police.

HTC has also been including an app called androidvncserver.apk, which acts as the client for a virtual network connection – a remote-control, remote-access connection – that could provide an avenue for almost any HTC Android phone to be taken over and controlled remotely.

The list of logs, bits of information and unsecured access to sources of information is stupidly long and complicated.

It's also a very popular topic on Android forums, where some users like the idea of the VNC, but mainly as a way for them to get access to the machine remotely, if they're already rooted.

Most don't seem to realize the same permission that gives the VNC the right to connect to the Internet provides an almost open door back into the phone as well.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Spotlight on ...
Online Training

    Upgrade your skills and earn higher pay

    Readers to share their best tips for maximizing training dollars and getting the most out self-directed learning. Here’s what they said.

     

    Learn more

Answers - Powered by ITworld

Ask a Question