A vulnerability in a logging tool that HTC has installed on some of its Android devices poses a serious security problem for users, according to the Android Police.
The devices at risk are the Evo 3D, Evo 4G and Thunderbolt. The vulnerability allows hackers to collect a great deal of information about the device and its user — information that the smartphone has been collecting for HTC — if the user downloads certain malware designed for this purpose.
The malware typically resides in an app that connects to the Internet, which leaves just about every unsuspecting device user vulnerable, as most do tend to use apps on their phones.
HTC has issued a statement assuring that it is investigating these claims and will determine as quickly as possible what steps, if any, need to be taken. The company did not immediately respond to LinuxInsider’s request for further comment.
What Gets Collected
The data that could be collected ranges from lists of user accounts and email addresses to sync status, last-known network and GPS locations, phone numbers recently called, SMS data and system logs.
“Everything that is going on on the device gets logged by the logging tools and is thus vulnerable to malware,” Nicholas Percoco, head of Trustwave SpiderLabs, told LinuxInsider.
The vulnerability is serious, he added, but it could be worse. “The logging tool listens on a port on the device and is only accessible on the local device itself. A hacker can’t just go in and connect to it — it needs the user to download the malware.”
On the other hand, HTC — unwittingly, no doubt — made the flaw more serious than it had to be.
“Even if users opt out of providing this information to HTC, the application still logs it — it just doesn’t share it with HTC,” explained Percoco. “But it seems to be counterintuitive — why would the logging tool collect the information at all if someone has opted out? That is a flaw in HTC’s logic, if you ask me.”
How to Fix This?
A patch could fix the issue, if HTC should decide to release one, Percoco added.
Patches in the Android environment, however, are not necessarily seamless — at least compared with other platforms.
“The chain of pushing them down to the user is not as clean as in the iOS world,” he said.
“Until there’s a solid response for this from HTC, I’d caution users against installing new apps,” advised Kurt Roemer, chief security strategist at Citrix Systems.
“Delete any nonessential apps and don’t reload them until HTC has provided a fix,” he told LinuxInsider. “Any app with Internet permissions can use the services presented by HTCLogger.”
Enterprises might want to consider running virtualized corporate applications only from servers in a data center, added Chris Fleck, vice president of mobility solutions at Citrix.
“This way the data is never on the device to be stolen,” he told LinuxInsider. “Furthermore, dual authentication and password policies can be used to reduce the risk of unauthorized access.”
Hard Questions for HTC
Once the immediate threat is past, users — both consumers and enterprises — need to look at the bigger picture, Azita Arvani of the Arvani Group told LinuxInsider.
“This is a really serious security flaw on several fronts,” she said. “First, the customer thinks he or she is only giving Internet access to an application, while an application can have access to a whole lot more information. More importantly, HTC seems to be logging every move and context information the user has, all in the name of potentially having to debug this — and all of it in one place.”
In short, HTC has a lot of questions to answer, Arvani concluded. “Why is it collecting all this information for any purpose? Why is the information not protected? Why is all of this information all in one place?”