''Massive'' security hole uncovered in HTC Android phones - Canadian TV, Computing and Home Theatre Forums

 
LinkBack Thread Tools Search this Thread Display Modes

post #1 of 9 (permalink) Old 2011-10-03, 10:46 AM Thread Starter
Member #1
 
Join Date: Dec 2001
Location: Toronto
Posts: 47,716
''Massive'' security hole uncovered in HTC Android phones

Android Police has done some digging into a suite of logging tools, dubbed HtcLoggers, that were loaded onto a range of HTC phones in a recent update. While the exact purpose of the tools is not known, they collect a bevy of information including, but not limited to, location, user accounts, phone numbers, system logs and some SMS data.

Apparently it is possible for any app that uses Android's INTERNET permission to access - and therefore copy off the device - any of that information. Given that most apps that access the web or display ads request the INTERNET permission, the consequences of this find are, as Artem Russakovskii of Android Police puts it, massive.

Story here


Reading this story frankly has me confused.

My son has an HTC Panache and I'm wondering, is he affected? Should I be concerned? And if so, is there anything I can do?

Thanks in advance.



hugh is offline  
Sponsored Links
Advertisement
 
post #2 of 9 (permalink) Old 2011-10-03, 11:26 AM
 
Join Date: Dec 2008
Posts: 659
The daughter has the Thunderbolt, which is one of the ones mentioned in the article. From what have read so far elsewhere, it seems until a patch is released, a suggested advice is to be careful of downloaded apps (advice passed onto her ), those that have theirs jailbroken it seems don't have to worry much as long as they gp in and clear all the logged info
lima20 is offline  
post #3 of 9 (permalink) Old 2011-10-03, 01:33 PM
Veteran
 
Join Date: Dec 2006
Location: Calgary AB
Posts: 4,200
The Panache is similar to the T-Mobile G2 if I am not mistaken. Hopefully that isn't one of the affected models.
BGY11 is offline  
 
post #4 of 9 (permalink) Old 2011-10-03, 02:45 PM
Moderator
 
Join Date: Jun 2009
Location: Toronto
Posts: 3,981
The Panache is actually the same hardware as the MyTouch 4G, but it has a different OS skin, including Sense. It may be affected, but the only way to tell is to try and run their test app.
TorontoColin is offline  
post #5 of 9 (permalink) Old 2011-10-04, 11:07 AM Thread Starter
Member #1
 
Join Date: Dec 2001
Location: Toronto
Posts: 47,716
HTC response acknowledges security hole but no date on when it will be fixed.

Quote:
HTC takes claims related to the security of our products very seriously. In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers' data, there is a vulnerability that could potentially be exploited by a malicious third-party application. A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability.

HTC is working very diligently to quickly release a security update that will resolve the issue on affected devices. Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it. We urge all users to install the update promptly. During this time, as always, we strongly urge customers to use caution when downloading, using, installing and updating applications from untrusted sources.


hugh is offline  
post #6 of 9 (permalink) Old 2011-10-04, 01:31 PM
 
Join Date: Nov 2008
Posts: 300
Well, at least they acknowledged it. IMO, that's a pretty fair PR/Damage Control statement at this time
GSMfan is offline  
post #7 of 9 (permalink) Old 2011-10-04, 01:35 PM Thread Starter
Member #1
 
Join Date: Dec 2001
Location: Toronto
Posts: 47,716
Android Police contacted them a week earlier and they ignored it. Had they acknowledged ti then, it would never have gone public. Had they not been indifferent, they would not have to have done damage control.

As far as the response, its pretty meager. No commitment to when the fix would happen. They should be able to rip out the HtcLoggers program in no time.



hugh is offline  
post #8 of 9 (permalink) Old 2011-10-04, 06:05 PM
Veteran
 
Join Date: Mar 2005
Location: Oakville, Cogeco
Posts: 3,210
Maybe it took them a week to confirm it was real. The concern here is the security problem, not how they have dealt with it so far. As for a timeframe to fix it, they might as well not make promises until they know what can be done. They have to check with carriers.
asif9t9 is offline  
post #9 of 9 (permalink) Old 2011-10-04, 11:08 PM Thread Starter
Member #1
 
Join Date: Dec 2001
Location: Toronto
Posts: 47,716
Quote:
Maybe it took them a week to confirm it was real.
Maybe, but frankly I doubt it.
Android Police was correct and gave HTC the tools to test it themselves. It seems they could have tested it in a day. I highly doubt HTC gets these types of notifications on a daily basis.

If time was a problem, they could have contacted Android Police and said that they were unable to replicate it and to give them a few more days but instead they chose to ignore the site.

My guess is HTC just blew them off and then it came back to bite them in the butt.

Also I think they could have given a timeline such as we hope to have a fix to carriers within 7 to 10 days. Just saying "we're working on it and we'll have it figured sometime i the future" is not acceptable



hugh is offline  
Reply

Quick Reply
Message:
Options

Register Now



In order to be able to post messages on the Canadian TV, Computing and Home Theatre Forums forums, you must first register.
Please enter your desired user name, your email address and other required details in the form below.

User Name:
Password
Please enter a password for your user account. Note that passwords are case-sensitive.

Password:


Confirm Password:
Email Address
Please enter a valid email address for yourself.

Email Address:
OR

Log-in










Thread Tools Search this Thread
Show Printable Version Show Printable Version
Email this Page Email this Page
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode



Posting Rules  
You may post new threads
You may post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

 
For the best viewing experience please update your browser to Google Chrome