HTC is to release an urgent update for several of its smartphones to fix a vulnerability which could leave personal information at risk.
The Android Police blog discovered that a user's GPS location and call logs could be easily accessed by net-enabled apps.
After investigating, HTC admitted the flaw could be "exploited by a malicious third-party application".
It said affected users will be notified of the update automatically.
"HTC is working very diligently to quickly release a security update that will resolve the issue on affected devices," a spokesperson said.
Users will be able to download the fix over-the-air.
The company has not yet confirmed exactly which models are at risk, but it is understood that the EVO 3D, EVO 4G, Thunderbolt and potentially the Sensation range are all susceptible to the vulnerability.
Until the patch is released, the company urges users to "use caution when downloading, using, installing and updating applications from untrusted sources".
The flaw relates to a particular file which contains a vast amount of personal information including GPS location history, SMS data, phone logs and e-mail accounts.
A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. ”
HTC spokesperson
Apps can gain access to the file by requesting permission to access the internet - a common occurrence for apps that allow the posting of top scores or messages on social networking sites.
HTC said they have found no evidence that this flaw has been exploited for malicious purposes, but conceded it does pose a threat to the protection of the user's information.
The statement read: "In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers' data, there is a vulnerability that could potentially be exploited by a malicious third-party application.
"A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws.
"So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability."
The company said the patch will be released after a short period of testing, and users are urged to download the update promptly.
Artem Russakovskii, the blogger who made the flaw public, welcomed the quick action by HTC, but said he still had concerns over the manner in which large amounts of personal data are kept in the single file.
He wrote: "While I applaud HTC's desire to fix the situation quickly, I do have to wonder whether the patch will simply apply some sort of an authentication scheme to the service while letting it continue collecting the same kind of sensitive data to be potentially reported back to HTC or carriers."
Security flaw exposed in HTC Android smartphones
HTC has acknowledged the security flaw and issued the following statement
"HTC takes claims related to the security of our products very seriously. In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers' data, there is a vulnerability that could potentially be exploited by a malicious third-party application.
A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability.
HTC is working very diligently to quickly release a security update that will resolve the issue on affected devices. Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it. We urge all users to install the update promptly. During this time, as always, we strongly urge customers to use caution when downloading, using, installing and updating applications from untrusted sources."
Malicious apps can gain access to personal data stored on some Android smartphones made by Taiwanesefirm HTC, say security researchers writing on the Android Police blog. Any app with permission to access the internet - which includes most ad-supported apps - can read off data including email addresses, location history and call logs. Affected models include the HTC EVO 3D, EVO 4G and Thunderbolt, say the researchers.
The data is gathered by an app called HtcLoggers. It was designed by HTC to log information for troubleshooting purposes, but it turns out that anyone can access the information without the need for a password or any other protection. "It's like leaving your keys under the mat and expecting nobody who finds them to unlock the door," say the researchers.
HTC has issued the following statement in response to the claimed vulnerability: "HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken."
Until then, users who have "rooted" their phone (modifying the operating system to provide greater access to the device) can delete the HtcLoggers app, while those with unmodified phones should avoid downloading any suspicious apps that could be taking advantage of this security flaw.
0 comments:
Post a Comment