Proof of Concept App Exposes "Massive Security Vulnerability" in HTC Android Handsets

Paul Lilly

Those of you rocking an Evo 3D, Evo 4G, Thunderbolt, or any number of affected HTC Android devices may have a serious security issue on your hands. A website is claiming recent updates to some HTC handsets grant apps an enormous amount of freedom to collect personal information, and to do so in such a way that your data can easily fall into the wrong hands.

AndroidPolice.com is blowing the whistle on HTC for introducing a suite of logging tools that collect lots of personal information The site is working with security researcher Trevor Eckhart, who discovered the vulnerabilities in HTC's software, to investigate just how problematic the situation might be. According to their initial findings, any app that requests and is granted permission to access the Web can then help itself to a treasure trove of information, things like user accounts, email addresses, last known network, GPS data, IP addresses, SSIDs, phone numbers stored in the phone log, SMS data, and system logs containing private information.

Apps that exploit this vulnerability can also uncover specifics about your phone. Using only a small subset of the information leaked, AndroidPolice says it's theoretically possible to clone a device.

AndroidPolice created a proof of concept app that exposes how easy it is to silently capture personal data and send it over the Internet. Eckhart said he tried contacting HTC over a week ago but so far hasn't heard anything back. It's AndroidPolice's hope that by going public with the information, HTC will spring to action. Their strategy seems to be working.

"HTC takes customers' security very seriously, and we are working to investigate this claim as quickly as possible," an HTC spokesperson told VentureBeat . "We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken."

You can view a YouTube of the security flaw in action here .

Image Credit: AndroidPolice.com

Around the web

Comments