Tuesday, 4 October 2011

HTC logger exposes Android user data

A "massive security vulnerability in HTC Android devices" has been found. The possible consequences are significant.

A researcher has found that software added by HTC to its Android devices exposes the following data:

  • Phone numbers
  • GPS data
  • SMS messages
  • Email messages
  • Addresses
  • Much more...
Basically Trevor Eckhart has found that HTC preinstalls a logging application that 'sniffs' a lot of information from the phone. It provides access to its own logs in a fairly loose manner. The upshot is that other applications could use the logger as a proxy and so read the above data.

Technical details, including a video showing a proof of concept attack, are available from Android Police.



UPDATE: An HTC spokesperson said that the company is "working very diligently to quickly release a security update that will resolve the issue on affected devices." Users will be able to download the fix over-the-air.