A recent HTC update was found to have left many Android devices with a gaping security hole–one that could potentially allow any app to access to pretty much all the information on your phone.
The security (first reported by Android Police a few days ago) has to do with a logging application introduced by HTC in a recent update called Tell HTC. This application silently records a whole bunch of information about your phone and usage and places it in one giant (think multiple megabytes) log file stored on your phone. Then, it provides this information to HTC so they can “improve your experience” with their devices. This would be all well and good provided that HTC was the sole accessor of the data. Unfortunately, HTC decided to set up their logging environment in such a way that makes the data available to any application with internet permission.
As part of the installation process, all Android applications are required to specify the permissions they require in order to operate. As a security measure, the Android OS will restrict an application’s access to any data or service for which it doesn’t have permission. Alas, the vast majority of apps contain at least some permission requests. One of the more common requests is for internet access, which many apps use to do things like serve ads, or communicate with a back-end server. Keep this in mind as we go forward.
The Security Flaw
I like HTC. For the most part, I think they make a pretty good phone, and I applauded their vow to make rooting their devices easier. But sometimes great companies make stupid decisions. This is one of them.
Remember that giant log file we talked about earlier? The HTC logging tools allow access to this file via a local port. Except there’s no authentication involved with this access. Any application with permission to access the internet can waltz over to this port, and request this information. And because an app using this exploit already has permission to access the internet it can send that information over the web to wherever it wants. Herein lies the problem.
EVO 4G, EVO 3D, Thunderbolt, EVO Shift 4G, MyTouch 4G Slide, and likely many others for which the vulnerability hasn’t yet been explicitly tested. Devices not running the stock HTC Sense UI firmware are not affected.
The security researchers who found the vulnerability first contacted HTC on September 24th, but received no response for five business days, at which point they publicly released their findings per the RF Full Disclosure Policy. Now in the public spotlight, HTC has vowed to fix the vulnerability with an upcoming software patch. Their official statement is as follows:
HTC takes claims related to the security of our products very seriously. In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers’ data, there is a vulnerability that could potentially be exploited by a malicious third-party application. A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability.
HTC is working very diligently to quickly release a security update that will resolve the issue on affected devices. Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it. We urge all users to install the update promptly. During this time, as always, we strongly urge customers to use caution when downloading, using, installing and updating applications from untrusted sources.
Proof of Concept Application
The researchers who discovered the flaw have created a proof of concept application that shows exactly how this vulnerability works. To find out if your device is affected, download the apk here. See the video below for a demonstration of this app: