Security researchers say they’ve uncovered a flaw in severalsmartphone models produced by HTC that gives any application that hasInternet access the keys to a trove of information on the phone,including e-mail addresses, GPS locations, phone numbers, and textmessage data.
Phone models claimed to be affected by the vulnerability are the EVO 3D,EVO 4G, Thunderbolt, and possibly HTC’s Sensation line.
The researchers, Trevor Eckhart, Artem Russakouskii, andJustin Case, say they informed HTC of the vulnerability on September24, but after HTC failed to respond to their warning for five days,they went public with their knowledge on Friday.
The security gap in the HTC phones stems from modifications the companymade in versions of the Android operating system in EVOand Thunderbolt models. Those changes add a suite of logging tools tothe system. “If you, as a company, plant these information collectorson a device, you better be DAMN sure the information they collect issecured and only available to privileged services or the user, afteropting in,” Russakouskii wrote yesterday at the AndroidPolice website.
That’s not the case here, he notes. The modifications made toAndroid by HTC allow any application that you give permission to accessthe Internet from the phone access to a plethora of sensitiveinformation on the device. What’s more, it also has permission to sendthe data that it finds wherever it wants on the Net without yourknowledge.
“Normally, applications get access to only what is allowed by thepermissions they request, so when you install a simple,innocent-looking new game from the [Android] Market that only asks forthe INTERNET permission (to submit scores online, for example), youdon’t expect it to read your phone log or list of e-mails,”Russakouskii explains.
He compares the vulnerability to leaving the keys to your house underthe welcome mat and not expecting anyone to find them.
Data that can be peeked at by any app with Internet access include:
- E-mail addresses
- Last known network and GPS locations.
- Phone numbers from phone logs.
- SMS data, including phone numbers and encoded text.
- System logs, which track everything your apps do, such aslogging into secure locations.
- System information such as onboard memory, CPU data,running processes and list of installed apps, including permissionsthey use and your user IDs for them.
In addition to the logger suite, Russakouskii notes, HTC has furthermodified Android with the addition of something namedandroidvncserver.apk. While the addition of that app, which is designedto give third parties remote access to a phone, might end up beinginsignificant, he did find it “suspicious.” “The app doesn’t getstarted by default, but who knows what and who can trigger it andpotentially get access to your phone remotely?” heasks.
Accordingto Eckhart, there’s no way at this time to patch thevulnerability without jailbreaking the phone, which, of course, willvoid the warranty. If you do hack the phone’s OS, you can remove HTC’slogger suite, htcloggers.apk, found in /system/app/.
This latest vulnerability exposes the problems that can occur in anopen source environment like Android. While it allows phone makers andapplication developers to make creative changes to the basic system, itcan also open the door to abuse of a phone owner’s data.