HTC is downplaying the severity of the problem and says most affected phones have already gotten the fix via updates and upgrades.
But it acknowledges users will have to manually load the software update and says those users should check back to its help page next week.
The flaw lies within the particular Android build used in certain models of HTC phones. It exposes Wi-Fi login credentials used as part of 802.1X network access control used on wireless networks.
A rogue application with rights to see that information and also with rights to access the Internet could steal the credentials and send them to attackers who might then use them to infiltrate a corporate network.
Google says no such rogue application has been found, according to a description of the flaw at the My War With Entropy blog by Bret Jordan. “Google has also done a code scan of every application currently in the Android Market and there are no applications currently exploiting this vulnerability,” Jordan says.
For its part, HTC posted a paragraph on its help page about the flaw. “HTC has developed a fix for a small WiFi issue affecting some HTC phones. Most phones have received this fix already through regular updates and upgrades. However, some phones will need to have the fix manually loaded. Please check back next week for more information about this fix and a manual download if you need to update your phone,” the posting says.
According to US-CERT, affected phones are:
• Desire HD (both “ace” and “spade” board revisions) – Versions FRG83D, GRI40
• Glacier – Version FRG83
• Droid Incredible – Version FRF91
• Thunderbolt 4G – Version FRG83D
• Sensation Z710e – Version GRI40
• Sensation 4G – Version GRI40
• Desire S – Version GRI40
• EVO 3D – Version GRI40
• EVO 4G – Version GRI40
For average consumers, this isn’t a huge concern, but as researchers Chris Hessing and Bret Jordan note, the exploit “exposes enterprise-privileged credentials in a manner that allows targeted exploitation.”
Hessing and Jordan discovered the flaw in September, and worked with HTC and Google for months before revealing it publicly. “Google and HTC have been very responsive and good to work with on this issue,” the researchers wrote, noting that Google made code changes to better protect Wi-Fi credentials and scanned the Android Market for apps that might be taking advantage of the security flaw. (It found none.)
Although a few other Android vulnerabilities have surfaced in the past, security flaws haven’t become a major issue for the platform, as they tend to get fixed before they become a danger to average consumers.
The bigger concerns for Android users are mobile malware and invasive adware, which surface occasionally because of the open nature of the Android Market. Fortunately, a bit of common sense will keep most users safe from mobile security threats.