HTC has acknowledged a security vulnerability in several of its smartphones but dodged responsibility for the flaw. The vulnerability exposes nearly all a user’s data to any app that can access the Internet from the handset.
HTC released a statement saying, “In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers’ data, there is a vulnerability that could potentially be exploited by a malicious third-party application.”
The statement appears to skirt the issue revealed by security researchers: that modifications made by HTC to the version of Android in several of the company’s smartphone models made data in the handsets easy pickings for Web-accessible apps.
Researchers found a suite of logging tolls on HTC’s EVO 3D, EVO 4G, Thunderbolt and possibly its Sensation line of phones that collect a lot of information about the devices. That information could easily be accessed by practically any app. “If you, as a company, plant these information collectors on a device, you better be damn sure the information they collect is secured and only available to privileged services or the user, after opting in,” one of the researchers, Artem Russakouskii, wrote at the Android Police website. That doesn’t appear to be the case with these HTC tools.
In its statement, HTC cautioned malware developers about the consequences of exploiting the vulnerability. “A third-party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws,” the company said.
HTC said it is “working very diligently to quickly release a security update that will resolve the issue on affected devices.”
“Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it,” the statement said.
Until that time, however, the company advised its customers to use caution when downloading and installing or updating apps from untrusted sources.
The researchers had an alternative suggestion for more adventurous Android users: remove HTC’s logging tools from the phone. That, however, requires jailbreaking, or rooting, the phone, which voids its warranty.