HTC working to fix serious security flaw
HTC is working on an over-the-air update for its handsets to fix a serious security flaw that could expose users’ personal data.
The company said it planned to rush out the fix as soon as possible after Android security bloggers exposed the vulnerability – which exploits weaknesses in HTC’s logging tools.
“HTC takes claims related to the security of our products very seriously,” the company said in a statement. “In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers’ data, there is a vulnerability that could potentially be exploited by a malicious third-party application.”
HTC does not believe any customer data has been compromised to date, but the ease with which the Android Police team managed to exploit handsets suggests users should update as soon as the patch becomes available.
If you, as a company, plant these information collectors on a device, you better be damn sure the information they collect is secured
“HTC is working very diligently to quickly release a security update that will resolve the issue on affected devices,” the company said.
“Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it. We urge all users to install the update promptly.”
HTC urged consumers to avoid downloading, or updating, apps from sources they don’t trust until the patch has been rolled out.
The vulnerability affects a range of HTC handsets, including the EVO 4G and 3D, the Thunderbold and some Sensation handsets – potentially leaking data such as email accounts, location information, SMS logs and phone numbers.
While the update might fix the problem, the company still came under fire for the fact that it was a vulnerability created in-house.
“In recent updates to some of its devices, HTC introduced a suite of logging tools that collected information,” Android Insider said. “Lots of information.”
“Whatever the reason was, whether for better understanding problems on users’ devices, easier remote analysis, corporate evilness – it doesn’t matter,” the bloggers added. “If you, as a company, plant these information collectors on a device, you better be damn sure the information they collect is secured and only available to privileged services or the user, after opting in.”