The Android world had a major shock earlier today when several members of Android Police (appropriate, no?) published a “massive” security flaw found on several high-profile devices from HTC. The problem comes from a customization that HTC has implemented on the core Android system, allowing any app that asks for the right permission access to a staggering amount of users’ private and technical data. Even more disturbing, it seems to be the case that some of this information can be retrieved remotely by HTC or anyone else due to an HTC app opening up a network port on any affected phone.
The primary issue stems from the “android.permission.INTERNET” permission. Once an app calls this permission into effect, it has access to all sorts of disturbing information on both rooted and non-rooted phones. The private information which any app can access includes email addresses, GPS locations and at least some former locations, call logs, SMS logs, and information from running apps. The HTC app “HtcLoggers.apk” is capable of collecting much of this data and then supplying it to anyone who opens up a network port on the phone. Theoretically, it’s possible to duplicate a user’s entire phone using these vulnerabilities.
Trevor Eckhart originally discovered these vulnerabilities, and the flaws have been verified and cataloged by Artem Russakovskii and Justin Case of Android Police. According to these three, the problems effect a wide range of HTC Android devices across all major carriers. The EVO 4G, EVO 3D, EVO Shift 4G, MyTouch 4G Slide and Thunderbolt were mentioned specifically, so it’s a fair bet that anything running similar hardware and software is likewise affected. The whistle-blowers have created a proof-of-concept app which allows any user (no root required) to examine the data being collected in real-time. You can find their exhaustive research and the proof of concept app at the source link.
Though Eckhart said that he alerted HTC of these security issues more than a week ago, no official response has been made.
Update: HTC has made the following statement: “HTC takes our customers’ security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we’re able to determine the accuracy of the claim and what steps, if any, need to be taken”