Hope this notice helps htc android users from suffering massive losses and anguish.
Never store your PIN numbers, passwords or personal data on HTC android phones.



HTC apparently modified Android in a way that leaves some models of its phones open to hacks and data theft, researchers reveal.

Security researchers say they've uncovered a flaw in several smartphone models produced by HTC that gives any application that has Internet access the keys to a trove of information on the phone, including e-mail addresses, GPS locations, phone numbers, and text message data.

The researchers, Trevor Eckhart, Artem Russakouskii, and Justin Case, say they informed HTC of the vulnerability on September 24, but after HTC failed to respond to their warning for five days, they went public with their knowledge on Friday.
The security gap in the HTC phones stems from modifications the company made in versions of the Android operating system in EVO and Thunderbolt models. Those changes add a suite of logging tools to the system. "If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in," Russakouskii wrote yesterday at the Android Police website.

That's not the case here, he notes. The modifications made to Android by HTC allow any application that you give permission to access the Internet from the phone access to a plethora of sensitive information on the device. What's more, it also has permission to send the data that it finds wherever it wants on the Net without your knowledge.
"Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the [Android] Market that only asks for the INTERNET permission (to submit scores online, for example), you don't expect it to read your phone log or list of e-mails," Russakouskii explains.
He compares the vulnerability to leaving the keys to your house under the welcome mat and not expecting anyone to find them.

Data that can be peeked at by any app with Internet access include:
E-mail addresses
Last known network and GPS locations.
Phone numbers from phone logs.
SMS data, including phone numbers and encoded text.
System logs, which track everything your apps do, such as logging into secure locations.
System information such as onboard memory, CPU data, running processes and list of installed apps, including permissions they use and your user IDs for them.

In addition to the logger suite, Russakouskii notes, HTC has further modified Android with the addition of something named androidvncserver.apk. While the addition of that app, which is designed to give third parties remote access to a phone, might end up being insignificant, he did find it "suspicious." "The app doesn't get started by default, but who knows what and who can trigger it and potentially get access to your phone remotely?" he asks.
According to Eckhart, there's no way at this time to patch the vulnerability without rooting the phone, which, of course, will void the warranty. If you do hack the phone's OS, you can remove HTC's logger suite, htcloggers.apk, found in /system/app/.
This latest vulnerability exposes the problems that can occur in an open source environment like Android. While it allows phone makers and application developers to make creative changes to the basic system, it can also open the door to abuse of a phone owner's data.


sauce

This post has been edited by Similan: Oct 5 2011, 09:01 AM

This would give a big slap onto HTC Android users, thankfully my fav custom (FroyoSense) rom has no this thing

HIGHLIGHTS



This post has been edited by enCORe: Oct 3 2011, 06:06 PM

Samsung might have the same issue too? Just that not yet published or discovered?

my concerns are more for the normal users who are not as tech-savvy like people who visits this forum.

these are the people who usually uses their phones to put PINs, bank accounts, passwords and other important numbers.

*shakes head*

Samsung Androids (confirmed SGS2, not sure abt others like Champ, Ace, etc) also have reported security breach.

sauce

I've already alerted them but so far, the local sgs2 community has not reported in.

This post has been edited by Similan: Oct 3 2011, 04:41 PM

LOL, dude WTF? its AT&T SGSII la, not the global version. its US only. Are you living in the US?
stop embarrassing yourself with your ignorance already.

RED ALERT remind me RA2/3
How much HTC user know this news?

This post has been edited by wkkm007: Oct 3 2011, 05:31 PM

Once again showing how rooting your android and installing a custom ROM can actually result in higher security.

Anyway, the rule of thumb to not simply install apps still holds true.

TNMCH

it's not mentioned that Malaysian version is not affected.

on the safe side, better follow the safety precautions.

agree abt ur rule of thumb.
but what is mostly concerning is not androidheads like you, BUT the ppl who are not so tech-savvy.
even the caution message whenever u install an app is so complicated and wordy.
normally ppl just press "OK" or "I Agree".

surely they will just download from the android market bcos naturally, evrybody is assume to be safe.

never in their nightmares cld they imagine the possibility of stolen money or worst, kidnapping by just using a htc android phone.

rooting doesn't make ur android safer, it is just a remedy to a created problem.
custom ROMs are safe? maybe yes, maybe no.
the point is, since userbase is small and limited to androidheads, the possibilities of detecting a major security issue (even though it is there) is very unlikely.

This post has been edited by Similan: Oct 3 2011, 05:45 PM

Perhaps this has got to do with the recently ROM lock issue that disable users to install custom ROM.
Another law suit coming...

is that a vulgar word I see there? do you have to resort to that low? LOL.
Didn't mean to make you angry there, keyboard warrior.
you don't even know what AT&T is, what are you still blabbering about?
just STFU and stop spreading your Android FUD propaganda already.

This post has been edited by phantomash: Oct 3 2011, 09:07 PM

No, installing an AOSP ROM like CyanogenMod 7 takes away that loophole altogether. Apps signed with system certs are not allowed to be installed on CM7.

Chills my heart to imagine the catastrophe may happen if HTC doesn't solve this, FAST!

based on the list, it seems like EVO 3D users is affected since other phones are only available for US only.
EDIT: and Sensation

This post has been edited by whitegoh: Oct 3 2011, 10:53 PM

Suggest this topic is pinned to promote awareness

If feel keep PIN numbers, passwords or personal data in a SmartDevice like writing PIN no. on ATM card

---

Added on October 4, 2011, 12:24 amI only trust my own brain and the conventional method haha

This post has been edited by wkkm007: Oct 4 2011, 12:27 AM

These phones models are on US only, like AT&T, Verizon, Sprint, T-Mobile, etc.
So, we're PRACTICALLY UNAFFECTED.

About these security flaws/vulnerability, I don't feel like it's really something new.
Windows OS, Mac OS, Linux OS, etc all have security problems.
That's why Windows Update(for Windows) are there. Keep on updating the security codes... Who doesn't know this, please go read up. I don't want to repeat myself. Because I know some retards won't read this and will just see this as a blank message.

I think HTC will patch this up with a new firmware or something.
I am not sure if CM7/MIUI/AOSP ROMs on this specific phones will have this problem. IMO, it shouldn't because they're using different codes.

good 4 u.

but many ppl are using their phones to store personal particulars since they always carry it arnd. furthermore even big companies like airasia, cimb clicks develop apps to complement their business.
nowadays ppl also say that mobile phone with NFC can be used as mobile wallet.

unfortunately, android is still very weak in security aspect with so many malwares, hackware and virus roaming freely unlike iOS which is much more secured and users have peace of mind.

not saying android is entirely lousy and useless, but it's "open" nature leaves it security very weak and prone to attacks by criminals.


@darksaliva

open ur eyes big big, brightness set correctly, read carefully and try to process in ur brain a bit.

htc evo 3d and sensation may had been affected by this massive security breach.



this statement just shows how shallow ur thinking is.
those software patches are for bug squashing and general improvements.
very seldom you see a huge security breach that compromises privacy and personal data.

the more powerful the smartphone becomes, the higher security it should have bcos it has access to a lot of data.
just imagine a criminal rapes and kills ur mother bcos he is able to know where ur mother is, her contacts, etc bcos he has hacked her android phone. what wld u say then? wld u just hide behind keyboard and complain in forum?

the extreme example is required to ensure u get the message properly into ur hard head.

btw, htc was informed of this on 24 sep but no fix until now. it is already october.

I don't think it's as shallow as yours.
Do you really reading what are those updates for? I don't bloody think so.
If you do read, you don't tell this. It's all MENTIONED, SECURITY VULNERABILITY FIX, etc. Not just the general bug fixing and improvements.
That's why I said, one will treat the message I said before is like "blank message".

Again, this statement will be ignored. Because one will treat it as "blank message" again.

---

Added on October 4, 2011, 8:27 amHey guys here in Android Section, stop feeding the troll.
Ignore this thread. The TS/OP is known for being iFaging.
I must troll this.

This post has been edited by DarkSilver: Oct 4 2011, 08:27 AM