Oct 03 AT 10:45 AM Nick Gray 27 Comments

HTC security hole could put some of your personal information at risk


If you happen to own one of those fancy new HTC phones that have come out over the past few months, you might want to hold off on downloading any new apps from less-than-trustworthy developers.

The folks over at Android Police have discovered that the HTCLogger.apk included in newer HTC devices and system updates doesn’t secure any of the data that it collects. HTC Logger is intended to capture system logs, GPS location, user accounts and other data to help HTC monitor handset issues, which HTC should be using to push out fixes in a more timely fashion. The problem is that all the data captured by the app is stored on the handset and can easily be captured by any application that has permission to access the Internet (android.permission.INTERNET).

The security vulnerability caused by HTCLogger is certainly critical, but we do believe the whole situation has been blown out of proportion. By fully disclosing how to take advantage of the vulnerability, Android Police has given hackers and app developers with malicious intent everything they need to capture the information stored by HTCLogger. There’s currently no indication that any rogue apps are taking advantage of this vulnerability, but we suggest you think twice before downloading applications from developers you don’t know or trust until HTC can resolve the issue.

HTC is aware of the vulnerability and is looking into fixing the problem. But if you have root access and want to take matters into your own hands, you can uninstall the app from /system/app/HtcLoggers.apk and be done with this whole issue.

HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken.HTC

Will any of you be waiting around for HTC to correct the issue? Or will you simply remove the HtcLoggers.apk and move on?

Source: Android Police

Nick is a tech enthusiast who has a soft spot for HTC and its devices. He started HTCsource.com (the first HTC blog) back in 2007 and later joined the Android and Me family in the summer of 2010.

    Most Tweeted This Week


    seems like security holes are found in everything these days.. sometimes i think its intentional

  • Paul

    Well they gave HTC and a heads up and gave them 5 business days to respond and HTC completely ignored it. So I hope this ‘lights a fire’ under their proverbial buts and gets them to do something about it. Like with any vulnerability, manufacturers would love to ignore it and focus on more profitable things like the next phone or whatever, but if enough people know about it and get upset about it then they have no choice but to go back and patch their software and address the issue. I just don’t like that HTC ignored the bug fix and I hope that enough people can get them to actually do something about it.

    • http://www.nexsoftware.net Justin Shapcott

      Paul – It is not customary to provide source code to exploit a vulnerability in the wild when there is not a workaround for the vast majority of those who might be affected. That’s bad form. The original post was done under the guise of ‘responsible disclosure’, but in telling exactly how to exploit it, they stepped into the realm of ‘irresponsible disclosure’.

    • http://www.anthonydomanico.com Anthony Domanico

      Why do people think that the phone design team and the people who work on Sense/bugs are the same people?

      • http://htcsource.com Nick Gray

        I think people forget that there are hundreds if not thousands of people who are involved in handset development and maintenance.

        • http://www.nexsoftware.net Justin Shapcott

          I’m pretty sure that there are only like 5-10 people working at HTC. 15 tops.

          And, yes, I am kidding.

  • Richard Yarrell

    Personally I believe this is being BLOWN OUT for whatever reason. This situation is currently existing and htc will take care of this issue in the coming days. Read up on this information education on these matters essentially turns to be power for us the consumer. Android is android and all manufacturers have made mistakes and these mistakes will always exist. Regardless of these current issues I support HTC and always will cause I know what they bring to this platform as well as windows platform. http://m.androidcentral.com/htc-collecting-data-us-phones-htc-sense-storing-it-very-sloppy-way-security?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+androidcentral+%28Android+Central%29

    • Mark

      You’re so bloody delusional. Must be because the Evo is affected and you just refuse that there could be security compromise on your phone. Get your head out of your ass.

      • Richard Yarrell

        Security compromises can exist on all android phones the manufacturer doesn’t matter. I’d like to where does androidandme find these clowns??? You guys must going to jobless conventions and feeling sorry for these guys and encouraging them to come and leave comments ie pluses up vote minus down vote. I could care less down vote me -100 because at the end of the day the thoughts and opinions of these clowns mean nothing in the real world meaning people with a life.

        • squiddy20

          You’re one to talk about being “jobless” since you were living on the streets about 4 years ago. Maybe you should go to school so you can learn what a “fact” or “opinion” is, as well as how to spell/use proper grammar and punctuation.

          “…because at the end of the day the thoughts and opinions of these clowns mean nothing…” I hope you know that by commenting on this website, you are including yourself in this insult. Even if you “have a life” you can still comment on here. What do you expect people to do at the end of their 40 or so hour workweek? Geez, talk about idiocy. Keep on truckin with that brilliant ignorance though. It’s HILARIOUS.

    • ACR

      Time to hack Richard’s phone.

  • squiddy20

    Yeah, HTC knowing practically everything about is “blown out”. Your phone’s ID and location details (network and GPS), webpages you look at, currently installed apps, all your contacts/call log, Facebook friends, any pictures/video you take, all of it is known to HTC. And because of this little loophole, any app that has permission to access the Internet (quite a lot these days) can access all this info as well. Keep telling yourself that this is “blown out”.
    “…HTC will take care of this issue in the coming days”? What a load of crap. HTC has known about this issue for well over a week (the finder of this loophole contacted HTC on the 23rd) and they still haven’t said one single word on the matter. Not even to officially acknowledge it as a problem. They’re *definitely* on top of it all right. What a joke.
    And if you REALLY want to know what’s going on, do like this article says and go to the original source: http://www.androidpolice.com/2011/10/01/massive-security-vulnerability-in-htc-android-devices-evo-3d-4g-thunderbolt-others-exposes-phone-numbers-gps-sms-emails-addresses-much-more/

    • squiddy20

      Meant to be in response to dumbass Richard.

      • Richard Yarrell

        Typical.. Ass wipe nothing new with the trolling squiddy20 wonder where his wife is @snowbdr89. The comedy the guys bring is like being clowns in the circus.

    • Richard Yarrell

      We already know this guy leaves comment after comment with no rhyme or reason other than trolling comments related to either myself/sprint/htc. Does he own any of the effected devices of course not. Does he own anything htc??? Of course not. I guess having a daily life that doesn’t consist of the need to leave comments everyday on blog sites as if he has a job.. Oh wait blog sites are the lonely life he leads and needs to exist. @squiddy20 get some help as fast as you can your the biggest JOKE on this site and I am being nice when I say that

      • squiddy20

        I would again like to point out that your statement of: “I guess having a daily life that doesn’t consist of the need to leave comments everyday on blog sites as if he has a job” also includes yourself. You do indeed post here on “these” sites, no? What a miserable little child you are. You can’t even come up with an insult that doesn’t also insult yourself.
        By the way, you too are guilty of posting on articles that have absolutely nothing to do with you. I count at least 5 within the past 4 days. Want proof? I’d be more than happy to provide it to you. Go troll somewhere else you stupid hypocrite.

        • ACR


        • Angie Strickland

          Can’t you guys just get along already? Or pretend to?

        • Richard Yarrell

          Your USELESS and have always been USELESS that’s plain and simple.. The clock is ticking on you and your trolling.. You have no place in this space OH by the way read up on this information.. Subject:Watch “Android Security Elevation With H, http://www.youtube.com/watch?v=YoTUkQ7SlNU&feature=youtube_gdata_player

          • squiddy20

            Wow. You tell me to “read up on this information” but fail to realize that what you have linked to is a video and so won’t be “reading” much of anything. I’ll be watching it. Go get a better education moron. And the video you so “smartly” linked to is nothing more than the proof of concept video the finder of this loophole created. Something that could be found simply by visiting the original AP article. Nothing more is in that video than what is already known. But here’s two thumbs up to you for thinking that was an eye opening video. What a joke.

          • squiddy20

            One final thing, if “the clock is ticking on [me] and [my] trolling” then why is it that I have been doing this for well over a year and have yet to be banned from any website? Phandroid, Android Police, Android and Me, Android Central. These main websites I have commented on for at least a year using the same username among all 4. You? You’ve been banned from Phandroid at least 3 or 4 times, AC and AP at least once each, and it might just be a matter of time before you get booted off this site too. So with that in mind, am I really that “useless” when compared to you? Grow the f**k up.

  • http://htcsource.com Nick Gray

    No one is denying that there’s an issue here, but the way the issue was disclosed is a big part of the issue as well. The right way to fix an issue is not by telling the world how to take advantage of the vulnerability.

    • R.S

      It is IF it gets the vulnerabilty fixed quicker than it would have had it remained a secret. Not only that, but I believe that people have a right to know that their information is at risk.

      Plus if Android Police found it, who is to say that someone else hadn’t already found it or wouldn’t have found it before it was fixed?

      Now that its been exposed, HTC has no choice but to quickly deal with the issue right now rather than “when we get to it”.

      • http://www.nexsoftware.net Justin Shapcott

        There is a difference between disclosing the existence of a vulnerability, and releasing source code which can be used to exploit said vulnerability.

  • R.S

    Yes, I am well aware that there is a difference between exposing or disclosing a vulnerability. They have a much different affect on issues like this one, which is my point.

    By exposing the vulnerability, HTC has no choice but to act quickly because like you wrote, the source code which can be used to exploit the vulnerability was released. This means there is an immediate threat.

    If the vulnerability had only been disclosed, HTC could have taken their sweet time, if they weren’t already doing so, dealing with the issue since it would have only been a possible threat.

    Immediate threats are usually dealt with in a more timely manner, and with greater importance, than possible threats. The vulnerability being exposed to the world made it go from a possible threat to an immediate threat.

  • Derek

    Wow…this site gets slower and slower with staying on top the Android news. So incompetent.

  • Richard Yarrell

    As I stated this update will fix the issue at large then after that what’s left to talk about trolls of androidandme Mr. Squiddy20. Subject:Watch “Android Security Elevation With H, http://www.youtube.com/watch?v=YoTUkQ7SlNU&feature=youtube_gdata_player