HTC has confirmed claims that a major security vulnerability exists in its Sense platform that gives way too much leeway to any third party application requesting Internet access. Android Police blew the whistle on the security flaw, pointing out that malicious applications could access private data, including SMS messages, GPS data, email addresses, IP address, and other information they're not authorized to view.
The site built a proof-of-concept app to demonstrate how it works, and also to get HTC's attention. The message was received loud and clear, and HTC promised to look into the issue. True to its word, HTC launched an investigation and provided the following update:
"HTC takes claims related to the security of our products very seriously. In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers’ data, there is a vulnerability that could potentially be exploited by a malicious third-party application. A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability.
HTC is working very diligently to quickly release a security update that will resolve the issue on affected devices. Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it. We urge all users to install the update promptly. During this time, as always, we strongly urge customers to use caution when downloading, using, installing and updating applications from untrusted sources. " (Emphasis added by HTC)
HTC didn't say exactly when carriers will begin pushing out these OTA updates, but given the fact that this is a pretty gaping security hole, we imagine it won't be long.