Security Loophole In HTC Android Devices

How do you feel if a clone of your Android-powered mobile phone is created by mining data from your mobile phone? Not very pleasant to contemplate, Right? A loophole in the latest HTC Android phones can theoretically make this possible. Android Police has found that HTC's software installed on phones such as EVO 3D, EVO 4G, Thunderbolt, EVO Shift, among others exposes the phone's data to 3rd-party applications.

HTC applications causing the vulnerability

The culprit here is the HTC application “HtcLoggers.apk” that collects and stores the user's private, confidential, and technical data. The application can supply all these information to anyone who opens a network port on the phone. The permission “android.permission.INTERNET” is called by an app to gain access to internet; the permission granted to the app not only allows it access to the internet, but also allows access to the user's private information logged by “HtcLoggers.apk”.

The information that could be exposed include:

1. Call logs


2. SMS logs


3. Email addresses


4. Last known network and GPS locations


5. Phone numbers


6. System logs


7. Memory info


8. CPU info


9. List of installed apps


10. Battery info and status


11. Etc.

HTC also installed androidvncserver.apk on the Android OS installations, which is basically a remote access server. Once internet access is secured both these apps can work in tandem: HtcLoggers.apk can collect the data and android.permission.INTERNET can ship it to a remote server. Although this is a speculative scenario at present, it cannot be gainsaid that a real threat exists.

HTC software fix

HTC has said a software patch is in testing and will be shortly pushed to the affected Android devices. The software will be sent over-the-air and users will be advised to download and install it. In the statement HTC said “... there is a vulnerability that could potentially be exploited by a malicious 3rd-party application ... HTC is working very diligently to quickly release a security update”. Meanwhile, HTC has urged users to use caution when downloading, installing, and updating applications from untrusted sources.

Impact on Android development ecosystem

Although this is primarily an HTC issue, the Android development community is vexed that users may misconstrue this as an issue with the Android mobile applications software. Google does not control the development market and it is suspected that a small percentage of apps are malware or spyware. The above issue may not affect the Android developers. It is pertinent to note here the Android platform provides a rich security model that enables the user to grant or deny capabilities to an app. Users are advised discretion when downloading, installing, and running apps.

The future of Android development

Android follows an open architecture system where anyone can add anything which compromises the overall experience of Android mobile applications. On the other hand, a closed architecture will allow for a consistent and secure development environment. Android development is an open source resource available for free use and many developers outsource Android development to 3rd parties or decide to offshore Android development. Hence, inevitably it is constantly at risk of exploitation by unscrupulous Android developers. It is hoped that the HTC Android phone security loophole is patched up soon and Android mobile applications continue its impressive story of incredible development.



For More Info:- Android Development | Offshore Android Development