Earlier this morning we reported that serious security issues had been found in a number of HTC phone running its Sense UI skin, which allow third-party applications to view the passwords of saved WiFi SSDs. The flaw was discovered by the United States Computer Emergency Readiness Team and reported on the Homeland Security website. HTC has responded to the issue on their support website, stating that some of the phones are already fixed through regular security updates. However, some of the phones will need a additional update to be made secure. The manufacturer did not elaborate on which phones are currently safe and which are not.
The flaw affects phones with Sense UI, and seems to go back quite a ways into HTC's catalog. Users of the Desire HD, Glacier (T-Mobile MyTouch 4G), Droid Incredible, Sensation 4G, ThunderBolt, Desire S, EVO 3D and EVO 4G should be wary, but Nexus one and MyTouch 3G owners needn't worry. The last two phones run mostly unmodified Android code, and are susceptible to the permissions error in Sense. HTC instructs its customers to check back on its support site in a week for further instructions.
This is the second major security flaw found in Sense in the last few months. Not to beat a dead horse or anything, but doesn't that indicate that Sense (and by extension most custom UIs) aren't worth it? Note that those who install a ROM based on open-source Android are fine as far as security goes, yet still have a voided warranty for their trouble. Isn't it time that HTC starts to let its customers choose whether or not they want Sense on their phone, or at the very least ,release one or two models running Stock Android? Considering that they've proven their own additions to Android make it less secure, and that the software differentiation is a non-issue for many users, that would seem like a good idea.
Are you listening, HTC? Stock Android is safer, quicker to update and requires less legwork on your end to maintain. Why aren't you letting your customers have the choice to remove Sense?
[via The Next Web]