HTC Android Devices are Leaking Sensitive User Data

Monday, October 03, 2011

Headlines

69dafe8b58066478aea48f3d0f384820

A recent update to the software powering HTC brand Android smartphones like the EVO 3D, EVO 4G, Thunderbolt and others, has unleashed a serious data security and privacy vulnerability, according to researchers posting at Android Police.

The software update included the HTCLogger tool, software meant to enable certain monitoring features for the phone's owners. Unfortunately, the HTCLogger tool also allows other applications with internet access permissions installed on affected HTC Android device to be collected and transmitted.

"In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users' devices, easier remote analysis, corporate evilness - it doesn't matter. If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in," the article from Android police states.

The Android Police article goes on to state that "any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:

  • the list of user accounts, including email addresses and sync status for each
  • last known network and GPS locations and a limited previous history of locations
  • phone numbers from the phone log
  • SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)
  • system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phonenumbers, and other private info
  • active notifications in the notification bar, including notification text
  • build number, bootloader version, radio version, kernel version
  • network info, including IP addresses
  • full memory info
  • CPU info
  • file system info and free space on each partition
  • running processes
  • current snapshot/stacktrace of not only every running process but every running thread
  • list of installed apps, including permissions used, user ids, versions, and more
  • system properties/variables
  • currently active broadcast listeners and history of past broadcasts received
  • currently active content providers
  • battery info and status, including charging/wake lock history
  • and more

The article's author, Artem Russakovskii, goes on to assert that "the only reason the data is leaking left and right is because HTC set their snooping environment up this way. It's like leaving your keys under the mat and expecting nobody who finds them to unlock the door."

HTC officials released the following statement on the researcher's findings:

"HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken."

The research team at Android police has published more details on the HTC vulnerability, including a proof of concept application, all of which can be found here:

Source:  http://www.androidpolice.com/2011/10/01/massive-security-vulnerability-in-htc-android-devices-evo-3d-4g-thunderbolt-others-exposes-phone-numbers-gps-sms-emails-addresses-much-more/

Possibly Related Articles:
7199
PDAs/Smart Phones
Data Leakage Application Security Vulnerabilities Mobile Devices Headlines Android HTC HTCLogger
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.