Oct 03 AT 10:45 AM Nick Gray 27 Comments

HTC security hole could put some of your personal information at risk

htc_vulnetability

If you happen to own one of those fancy new HTC phones that have come out over the past few months, you might want to hold off on downloading any new apps from less-than-trustworthy developers.

The folks over at Android Police have discovered that the HTCLogger.apk included in newer HTC devices and system updates doesn’t secure any of the data that it collects. HTC Logger is intended to capture system logs, GPS location, user accounts and other data to help HTC monitor handset issues, which HTC should be using to push out fixes in a more timely fashion. The problem is that all the data captured by the app is stored on the handset and can easily be captured by any application that has permission to access the Internet (android.permission.INTERNET).

The security vulnerability caused by HTCLogger is certainly critical, but we do believe the whole situation has been blown out of proportion. By fully disclosing how to take advantage of the vulnerability, Android Police has given hackers and app developers with malicious intent everything they need to capture the information stored by HTCLogger. There’s currently no indication that any rogue apps are taking advantage of this vulnerability, but we suggest you think twice before downloading applications from developers you don’t know or trust until HTC can resolve the issue.

HTC is aware of the vulnerability and is looking into fixing the problem. But if you have root access and want to take matters into your own hands, you can uninstall the app from /system/app/HtcLoggers.apk and be done with this whole issue.

HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken.HTC

Will any of you be waiting around for HTC to correct the issue? Or will you simply remove the HtcLoggers.apk and move on?

Source: Android Police

Nick is a tech enthusiast who has a soft spot for HTC and its devices. He started HTCsource.com (the first HTC blog) back in 2007 and later joined the Android and Me family in the summer of 2010.

    Most Tweeted This Week

  • BiGMERF

    seems like security holes are found in everything these days.. sometimes i think its intentional

  • Paul

    Well they gave HTC and a heads up and gave them 5 business days to respond and HTC completely ignored it. So I hope this ‘lights a fire’ under their proverbial buts and gets them to do something about it. Like with any vulnerability, manufacturers would love to ignore it and focus on more profitable things like the next phone or whatever, but if enough people know about it and get upset about it then they have no choice but to go back and patch their software and address the issue. I just don’t like that HTC ignored the bug fix and I hope that enough people can get them to actually do something about it.

    • http://www.nexsoftware.net Justin Shapcott

      Paul – It is not customary to provide source code to exploit a vulnerability in the wild when there is not a workaround for the vast majority of those who might be affected. That’s bad form. The original post was done under the guise of ‘responsible disclosure’, but in telling exactly how to exploit it, they stepped into the realm of ‘irresponsible disclosure’.

    • http://www.anthonydomanico.com Anthony Domanico

      Why do people think that the phone design team and the people who work on Sense/bugs are the same people?

      • http://htcsource.com Nick Gray

        I think people forget that there are hundreds if not thousands of people who are involved in handset development and maintenance.

        • http://www.nexsoftware.net Justin Shapcott

          I’m pretty sure that there are only like 5-10 people working at HTC. 15 tops.

          And, yes, I am kidding.

  • Richard Yarrell

    Hidden due to low comment rating. Click here to see.

    • Mark

      You’re so bloody delusional. Must be because the Evo is affected and you just refuse that there could be security compromise on your phone. Get your head out of your ass.

      • Richard Yarrell

        Hidden due to low comment rating. Click here to see.

        • squiddy20

          You’re one to talk about being “jobless” since you were living on the streets about 4 years ago. Maybe you should go to school so you can learn what a “fact” or “opinion” is, as well as how to spell/use proper grammar and punctuation.

          “…because at the end of the day the thoughts and opinions of these clowns mean nothing…” I hope you know that by commenting on this website, you are including yourself in this insult. Even if you “have a life” you can still comment on here. What do you expect people to do at the end of their 40 or so hour workweek? Geez, talk about idiocy. Keep on truckin with that brilliant ignorance though. It’s HILARIOUS.

    • ACR

      Time to hack Richard’s phone.

  • squiddy20

    Yeah, HTC knowing practically everything about is “blown out”. Your phone’s ID and location details (network and GPS), webpages you look at, currently installed apps, all your contacts/call log, Facebook friends, any pictures/video you take, all of it is known to HTC. And because of this little loophole, any app that has permission to access the Internet (quite a lot these days) can access all this info as well. Keep telling yourself that this is “blown out”.
    “…HTC will take care of this issue in the coming days”? What a load of crap. HTC has known about this issue for well over a week (the finder of this loophole contacted HTC on the 23rd) and they still haven’t said one single word on the matter. Not even to officially acknowledge it as a problem. They’re *definitely* on top of it all right. What a joke.
    And if you REALLY want to know what’s going on, do like this article says and go to the original source: http://www.androidpolice.com/2011/10/01/massive-security-vulnerability-in-htc-android-devices-evo-3d-4g-thunderbolt-others-exposes-phone-numbers-gps-sms-emails-addresses-much-more/

    • squiddy20

      Meant to be in response to dumbass Richard.

      • Richard Yarrell

        Hidden due to low comment rating. Click here to see.

    • Richard Yarrell

      Hidden due to low comment rating. Click here to see.

      • squiddy20

        I would again like to point out that your statement of: “I guess having a daily life that doesn’t consist of the need to leave comments everyday on blog sites as if he has a job” also includes yourself. You do indeed post here on “these” sites, no? What a miserable little child you are. You can’t even come up with an insult that doesn’t also insult yourself.
        By the way, you too are guilty of posting on articles that have absolutely nothing to do with you. I count at least 5 within the past 4 days. Want proof? I’d be more than happy to provide it to you. Go troll somewhere else you stupid hypocrite.

        • ACR
        • Angie Strickland

          Can’t you guys just get along already? Or pretend to?

        • Richard Yarrell

          Your USELESS and have always been USELESS that’s plain and simple.. The clock is ticking on you and your trolling.. You have no place in this space OH by the way read up on this information.. Subject:Watch “Android Security Elevation With H, http://www.youtube.com/watch?v=YoTUkQ7SlNU&feature=youtube_gdata_player

          • squiddy20

            Wow. You tell me to “read up on this information” but fail to realize that what you have linked to is a video and so won’t be “reading” much of anything. I’ll be watching it. Go get a better education moron. And the video you so “smartly” linked to is nothing more than the proof of concept video the finder of this loophole created. Something that could be found simply by visiting the original AP article. Nothing more is in that video than what is already known. But here’s two thumbs up to you for thinking that was an eye opening video. What a joke.

          • squiddy20

            One final thing, if “the clock is ticking on [me] and [my] trolling” then why is it that I have been doing this for well over a year and have yet to be banned from any website? Phandroid, Android Police, Android and Me, Android Central. These main websites I have commented on for at least a year using the same username among all 4. You? You’ve been banned from Phandroid at least 3 or 4 times, AC and AP at least once each, and it might just be a matter of time before you get booted off this site too. So with that in mind, am I really that “useless” when compared to you? Grow the f**k up.

  • http://htcsource.com Nick Gray

    No one is denying that there’s an issue here, but the way the issue was disclosed is a big part of the issue as well. The right way to fix an issue is not by telling the world how to take advantage of the vulnerability.

    • R.S

      It is IF it gets the vulnerabilty fixed quicker than it would have had it remained a secret. Not only that, but I believe that people have a right to know that their information is at risk.

      Plus if Android Police found it, who is to say that someone else hadn’t already found it or wouldn’t have found it before it was fixed?

      Now that its been exposed, HTC has no choice but to quickly deal with the issue right now rather than “when we get to it”.

      • http://www.nexsoftware.net Justin Shapcott

        There is a difference between disclosing the existence of a vulnerability, and releasing source code which can be used to exploit said vulnerability.

  • R.S

    Yes, I am well aware that there is a difference between exposing or disclosing a vulnerability. They have a much different affect on issues like this one, which is my point.

    By exposing the vulnerability, HTC has no choice but to act quickly because like you wrote, the source code which can be used to exploit the vulnerability was released. This means there is an immediate threat.

    If the vulnerability had only been disclosed, HTC could have taken their sweet time, if they weren’t already doing so, dealing with the issue since it would have only been a possible threat.

    Immediate threats are usually dealt with in a more timely manner, and with greater importance, than possible threats. The vulnerability being exposed to the world made it go from a possible threat to an immediate threat.

  • Derek

    Wow…this site gets slower and slower with staying on top the Android news. So incompetent.

  • Richard Yarrell

    As I stated this update will fix the issue at large then after that what’s left to talk about trolls of androidandme Mr. Squiddy20. Subject:Watch “Android Security Elevation With H, http://www.youtube.com/watch?v=YoTUkQ7SlNU&feature=youtube_gdata_player

  1. seems like security holes are found in everything these days.. sometimes i think its intentional

  2. PaulGuest 4 years ago

    Well they gave HTC and a heads up and gave them 5 business days to respond and HTC completely ignored it. So I hope this ‘lights a fire’ under their proverbial buts and gets them to do something about it. Like with any vulnerability, manufacturers would love to ignore it and focus on more profitable things like the next phone or whatever, but if enough people know about it and get upset about it then they have no choice but to go back and patch their software and address the issue. I just don’t like that HTC ignored the bug fix and I hope that enough people can get them to actually do something about it.

    • Paul – It is not customary to provide source code to exploit a vulnerability in the wild when there is not a workaround for the vast majority of those who might be affected. That’s bad form. The original post was done under the guise of ‘responsible disclosure’, but in telling exactly how to exploit it, they stepped into the realm of ‘irresponsible disclosure’.

    • Why do people think that the phone design team and the people who work on Sense/bugs are the same people?

  3. Richard YarrellGuest 4 years ago

    Hidden due to low comment rating. Click here to see.

    • MarkGuest 4 years ago

      You’re so bloody delusional. Must be because the Evo is affected and you just refuse that there could be security compromise on your phone. Get your head out of your ass.

      • Richard YarrellGuest 4 years ago

        Hidden due to low comment rating. Click here to see.

        • squiddy20Guest 4 years ago

          You’re one to talk about being “jobless” since you were living on the streets about 4 years ago. Maybe you should go to school so you can learn what a “fact” or “opinion” is, as well as how to spell/use proper grammar and punctuation.

          “…because at the end of the day the thoughts and opinions of these clowns mean nothing…” I hope you know that by commenting on this website, you are including yourself in this insult. Even if you “have a life” you can still comment on here. What do you expect people to do at the end of their 40 or so hour workweek? Geez, talk about idiocy. Keep on truckin with that brilliant ignorance though. It’s HILARIOUS.

    • ACRGuest 4 years ago

      Time to hack Richard’s phone.

  4. squiddy20Guest 4 years ago

    Yeah, HTC knowing practically everything about is “blown out”. Your phone’s ID and location details (network and GPS), webpages you look at, currently installed apps, all your contacts/call log, Facebook friends, any pictures/video you take, all of it is known to HTC. And because of this little loophole, any app that has permission to access the Internet (quite a lot these days) can access all this info as well. Keep telling yourself that this is “blown out”.
    “…HTC will take care of this issue in the coming days”? What a load of crap. HTC has known about this issue for well over a week (the finder of this loophole contacted HTC on the 23rd) and they still haven’t said one single word on the matter. Not even to officially acknowledge it as a problem. They’re *definitely* on top of it all right. What a joke.
    And if you REALLY want to know what’s going on, do like this article says and go to the original source: http://www.androidpolice.com/2011/10/01/massive-security-vulnerability-in-htc-android-devices-evo-3d-4g-thunderbolt-others-exposes-phone-numbers-gps-sms-emails-addresses-much-more/

    • squiddy20Guest 4 years ago

      Meant to be in response to dumbass Richard.

      • Richard YarrellGuest 4 years ago

        Hidden due to low comment rating. Click here to see.

    • Richard YarrellGuest 4 years ago

      Hidden due to low comment rating. Click here to see.

      • squiddy20Guest 4 years ago

        I would again like to point out that your statement of: “I guess having a daily life that doesn’t consist of the need to leave comments everyday on blog sites as if he has a job” also includes yourself. You do indeed post here on “these” sites, no? What a miserable little child you are. You can’t even come up with an insult that doesn’t also insult yourself.
        By the way, you too are guilty of posting on articles that have absolutely nothing to do with you. I count at least 5 within the past 4 days. Want proof? I’d be more than happy to provide it to you. Go troll somewhere else you stupid hypocrite.

        • ACRGuest 4 years ago
        • Can’t you guys just get along already? Or pretend to?

        • Richard YarrellGuest 4 years ago

          Your USELESS and have always been USELESS that’s plain and simple.. The clock is ticking on you and your trolling.. You have no place in this space OH by the way read up on this information.. Subject:Watch “Android Security Elevation With H, http://www.youtube.com/watch?v=YoTUkQ7SlNU&feature=youtube_gdata_player

          • squiddy20Guest 4 years ago

            Wow. You tell me to “read up on this information” but fail to realize that what you have linked to is a video and so won’t be “reading” much of anything. I’ll be watching it. Go get a better education moron. And the video you so “smartly” linked to is nothing more than the proof of concept video the finder of this loophole created. Something that could be found simply by visiting the original AP article. Nothing more is in that video than what is already known. But here’s two thumbs up to you for thinking that was an eye opening video. What a joke.

          • squiddy20Guest 4 years ago

            One final thing, if “the clock is ticking on [me] and [my] trolling” then why is it that I have been doing this for well over a year and have yet to be banned from any website? Phandroid, Android Police, Android and Me, Android Central. These main websites I have commented on for at least a year using the same username among all 4. You? You’ve been banned from Phandroid at least 3 or 4 times, AC and AP at least once each, and it might just be a matter of time before you get booted off this site too. So with that in mind, am I really that “useless” when compared to you? Grow the f**k up.

  5. No one is denying that there’s an issue here, but the way the issue was disclosed is a big part of the issue as well. The right way to fix an issue is not by telling the world how to take advantage of the vulnerability.

    • It is IF it gets the vulnerabilty fixed quicker than it would have had it remained a secret. Not only that, but I believe that people have a right to know that their information is at risk.

      Plus if Android Police found it, who is to say that someone else hadn’t already found it or wouldn’t have found it before it was fixed?

      Now that its been exposed, HTC has no choice but to quickly deal with the issue right now rather than “when we get to it”.

  6. Yes, I am well aware that there is a difference between exposing or disclosing a vulnerability. They have a much different affect on issues like this one, which is my point.

    By exposing the vulnerability, HTC has no choice but to act quickly because like you wrote, the source code which can be used to exploit the vulnerability was released. This means there is an immediate threat.

    If the vulnerability had only been disclosed, HTC could have taken their sweet time, if they weren’t already doing so, dealing with the issue since it would have only been a possible threat.

    Immediate threats are usually dealt with in a more timely manner, and with greater importance, than possible threats. The vulnerability being exposed to the world made it go from a possible threat to an immediate threat.

  7. DerekGuest 4 years ago

    Wow…this site gets slower and slower with staying on top the Android news. So incompetent.

  8. Richard YarrellGuest 4 years ago

    As I stated this update will fix the issue at large then after that what’s left to talk about trolls of androidandme Mr. Squiddy20. Subject:Watch “Android Security Elevation With H, http://www.youtube.com/watch?v=YoTUkQ7SlNU&feature=youtube_gdata_player