Just when I am in the process of saving up for a new HTC smart phone, the folks over at Android Police had discovered another security hole – a massive one at that, in HTC devices.
The vulnerability is:
any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:
- the list of user accounts, including email addresses and sync status for each
- last known network and GPS locations and a limited previous history of locations
- phone numbers from the phone log
- SMS data, including phone numbers and encoded text (not sure yet if it’s possible to decode it, but very likely)
- system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info
They add that this security hole is way bigger in terms of scale compared to the data-leaking Skype vulnerability discovered early this year. So far, affected models were mostly the EVO line, models that are not officially sold here in the Philippines, as far as I know. But HTC users can check by downloading the Proof of Concept APK.
They already informed HTC about this but so far, no reply has been made nor is there any news as to what the company will do about it.
Hopefully, all of this gets sorted out by the time I’m ready to buy an HTC handset. Otherwise, I may end up getting a Samsung or a unit from Sony-Ericsson. Worse, I could be stuck on a BlackBerry.
Check out Android Police’s report about it for more information. They’ve done a great job with this one.