Hope this notice helps htc android users from suffering massive losses and anguish.
Never store your PIN numbers, passwords or personal data on HTC android phones.



HTC apparently modified Android in a way that leaves some models of its phones open to hacks and data theft, researchers reveal.

Security researchers say they've uncovered a flaw in several smartphone models produced by HTC that gives any application that has Internet access the keys to a trove of information on the phone, including e-mail addresses, GPS locations, phone numbers, and text message data.

The researchers, Trevor Eckhart, Artem Russakouskii, and Justin Case, say they informed HTC of the vulnerability on September 24, but after HTC failed to respond to their warning for five days, they went public with their knowledge on Friday.
The security gap in the HTC phones stems from modifications the company made in versions of the Android operating system in EVO and Thunderbolt models. Those changes add a suite of logging tools to the system. "If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in," Russakouskii wrote yesterday at the Android Police website.

That's not the case here, he notes. The modifications made to Android by HTC allow any application that you give permission to access the Internet from the phone access to a plethora of sensitive information on the device. What's more, it also has permission to send the data that it finds wherever it wants on the Net without your knowledge.
"Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the [Android] Market that only asks for the INTERNET permission (to submit scores online, for example), you don't expect it to read your phone log or list of e-mails," Russakouskii explains.
He compares the vulnerability to leaving the keys to your house under the welcome mat and not expecting anyone to find them.

Data that can be peeked at by any app with Internet access include:
E-mail addresses
Last known network and GPS locations.
Phone numbers from phone logs.
SMS data, including phone numbers and encoded text.
System logs, which track everything your apps do, such as logging into secure locations.
System information such as onboard memory, CPU data, running processes and list of installed apps, including permissions they use and your user IDs for them.

In addition to the logger suite, Russakouskii notes, HTC has further modified Android with the addition of something named androidvncserver.apk. While the addition of that app, which is designed to give third parties remote access to a phone, might end up being insignificant, he did find it "suspicious." "The app doesn't get started by default, but who knows what and who can trigger it and potentially get access to your phone remotely?" he asks.
According to Eckhart, there's no way at this time to patch the vulnerability without rooting the phone, which, of course, will void the warranty. If you do hack the phone's OS, you can remove HTC's logger suite, htcloggers.apk, found in /system/app/.
This latest vulnerability exposes the problems that can occur in an open source environment like Android. While it allows phone makers and application developers to make creative changes to the basic system, it can also open the door to abuse of a phone owner's data.


sauce

This post has been edited by Similan: Oct 5 2011, 09:01 AM

This would give a big slap onto HTC Android users, thankfully my fav custom (FroyoSense) rom has no this thing

HIGHLIGHTS



This post has been edited by enCORe: Oct 3 2011, 06:06 PM

Samsung might have the same issue too? Just that not yet published or discovered?

my concerns are more for the normal users who are not as tech-savvy like people who visits this forum.

these are the people who usually uses their phones to put PINs, bank accounts, passwords and other important numbers.

*shakes head*

Samsung Androids (confirmed SGS2, not sure abt others like Champ, Ace, etc) also have reported security breach.

sauce

I've already alerted them but so far, the local sgs2 community has not reported in.

This post has been edited by Similan: Oct 3 2011, 04:41 PM

LOL, dude WTF? its AT&T SGSII la, not the global version. its US only. Are you living in the US?
stop embarrassing yourself with your ignorance already.

RED ALERT remind me RA2/3
How much HTC user know this news?

This post has been edited by wkkm007: Oct 3 2011, 05:31 PM

Once again showing how rooting your android and installing a custom ROM can actually result in higher security.

Anyway, the rule of thumb to not simply install apps still holds true.

TNMCH

it's not mentioned that Malaysian version is not affected.

on the safe side, better follow the safety precautions.

agree abt ur rule of thumb.
but what is mostly concerning is not androidheads like you, BUT the ppl who are not so tech-savvy.
even the caution message whenever u install an app is so complicated and wordy.
normally ppl just press "OK" or "I Agree".

surely they will just download from the android market bcos naturally, evrybody is assume to be safe.

never in their nightmares cld they imagine the possibility of stolen money or worst, kidnapping by just using a htc android phone.

rooting doesn't make ur android safer, it is just a remedy to a created problem.
custom ROMs are safe? maybe yes, maybe no.
the point is, since userbase is small and limited to androidheads, the possibilities of detecting a major security issue (even though it is there) is very unlikely.

This post has been edited by Similan: Oct 3 2011, 05:45 PM

Perhaps this has got to do with the recently ROM lock issue that disable users to install custom ROM.
Another law suit coming...

is that a vulgar word I see there? do you have to resort to that low? LOL.
Didn't mean to make you angry there, keyboard warrior.
you don't even know what AT&T is, what are you still blabbering about?
just STFU and stop spreading your Android FUD propaganda already.

This post has been edited by phantomash: Oct 3 2011, 09:07 PM

No, installing an AOSP ROM like CyanogenMod 7 takes away that loophole altogether. Apps signed with system certs are not allowed to be installed on CM7.

Chills my heart to imagine the catastrophe may happen if HTC doesn't solve this, FAST!

based on the list, it seems like EVO 3D users is affected since other phones are only available for US only.
EDIT: and Sensation

This post has been edited by whitegoh: Oct 3 2011, 10:53 PM

Suggest this topic is pinned to promote awareness

If feel keep PIN numbers, passwords or personal data in a SmartDevice like writing PIN no. on ATM card

---

Added on October 4, 2011, 12:24 amI only trust my own brain and the conventional method haha

This post has been edited by wkkm007: Oct 4 2011, 12:27 AM

These phones models are on US only, like AT&T, Verizon, Sprint, T-Mobile, etc.
So, we're PRACTICALLY UNAFFECTED.

About these security flaws/vulnerability, I don't feel like it's really something new.
Windows OS, Mac OS, Linux OS, etc all have security problems.
That's why Windows Update(for Windows) are there. Keep on updating the security codes... Who doesn't know this, please go read up. I don't want to repeat myself. Because I know some retards won't read this and will just see this as a blank message.

I think HTC will patch this up with a new firmware or something.
I am not sure if CM7/MIUI/AOSP ROMs on this specific phones will have this problem. IMO, it shouldn't because they're using different codes.

good 4 u.

but many ppl are using their phones to store personal particulars since they always carry it arnd. furthermore even big companies like airasia, cimb clicks develop apps to complement their business.
nowadays ppl also say that mobile phone with NFC can be used as mobile wallet.

unfortunately, android is still very weak in security aspect with so many malwares, hackware and virus roaming freely unlike iOS which is much more secured and users have peace of mind.

not saying android is entirely lousy and useless, but it's "open" nature leaves it security very weak and prone to attacks by criminals.


@darksaliva

open ur eyes big big, brightness set correctly, read carefully and try to process in ur brain a bit.

htc evo 3d and sensation may had been affected by this massive security breach.



this statement just shows how shallow ur thinking is.
those software patches are for bug squashing and general improvements.
very seldom you see a huge security breach that compromises privacy and personal data.

the more powerful the smartphone becomes, the higher security it should have bcos it has access to a lot of data.
just imagine a criminal rapes and kills ur mother bcos he is able to know where ur mother is, her contacts, etc bcos he has hacked her android phone. what wld u say then? wld u just hide behind keyboard and complain in forum?

the extreme example is required to ensure u get the message properly into ur hard head.

btw, htc was informed of this on 24 sep but no fix until now. it is already october.

I don't think it's as shallow as yours.
Do you really reading what are those updates for? I don't bloody think so.
If you do read, you don't tell this. It's all MENTIONED, SECURITY VULNERABILITY FIX, etc. Not just the general bug fixing and improvements.
That's why I said, one will treat the message I said before is like "blank message".

Again, this statement will be ignored. Because one will treat it as "blank message" again.

---

Added on October 4, 2011, 8:27 amHey guys here in Android Section, stop feeding the troll.
Ignore this thread. The TS/OP is known for being iFaging.
I must troll this.

This post has been edited by DarkSilver: Oct 4 2011, 08:27 AM

This is a major problem for users using original software.

exactly. and majority of non-geeks will use what was bundled together with the phone.
cannot imagine the consequences if an evil criminal uploads an app to harvest personal details from the phone.


at first, i supported htc bcos of their innovative HTC Sense software which is great and i could accept their handsets even though it didn't have the nicest screen, fastest processor, or slickest design.

but now.

+1, you seem to be the only guy who noticed.


HAHAHA. bro, you're not a Android user to begin with, in case you missed my post earlier, I'll repeat again, shut the f-ck up.

btw, Desire Z keyboard > BB9900

This post has been edited by phantomash: Oct 4 2011, 11:14 AM

I would like you to draw back this statement... iOS isn't that secured like what do you think. in YouTube there are many videos have shown many iOS users have exploit iOS. Even thou the phone lock also can be exploit easily by an amateur.

And most of iOS users have jailbreak their gadgets, so it is not as secured any more.

Even thou android has so call bugs and security problems, their so problems are just a small fry you can settle it yourselves even thou you are not gadget savvy. Just wait HTC release the latest firmware and then update your phone.

So, no matter you are iOS user or Android user. Nothing is perfect and enough said... we won't like to have flame war in Android thread because some iOS dudes come and underestimate the Android.

This post has been edited by droid13579: Oct 4 2011, 02:00 PM

Show that iOS is easy to exploit? At least a link. Don't just simply type a statement.

How can you call a problem small fry when personal data is easily retrieve by any android app out there? and ppl here thought iPhone users are not tech-savvy.

don't turn this into another keyboard-war.
i'm doing all htc android users (or potential buyers) a big favor by highlighting security concerns so they may be wary.
keep this thread clean, for goodness sake!

the biggest issue here is ...that this disaster happens only when using HTC original firmware!
and yes, if u have the technical capability to root/ jailbreak u shld be aware of the risks or issues related to it.

again, droidfags shld put aside their pride and accept that there is a problem.
this is beneficial rather than defending the obvious flaws with dumbo statements.

Just like bank phishing emails. So many people who are not tech-savvy use Maybank2U. So many kena con. Read email, click on link, enter password, *BAM*.

never in their nightmares cld they imagine the possibility of stolen money or worst, kidnapping by just following a maybank2u email.

It should be mentioned that the htcloggers.apk is only present in the most recent HTC OTAs. So the flagging of the exploit was early in the sense that not much people know about the exploit yet.

The flagging should be hailed more as an act of heroism of the Android developers community than a huge security hole dug by HTC.

Everything else is pretty irrelevant.

yes its true. the world is truly a dangerous place maybe it is easier to con/cheat/criminal when many aspects of our lives is connected.

SO we don't really want to make it much worse by using technology which has massive security vulnerabilities. although not one system is entirely fool-proof, not even iOS

but at least the locks must be in place.
and now it seems HTC has opened all its locks and the poor android user now is spreading his legs for the criminal.

pls do not praise me as noble and kind for doing this as i gain nothing and even subject myself to insults by childish ppl... but actually it is just the least that i can do to help.

until now, the folks at htc still has not released a fix for this.

on a more sinister note, perhaps htc meant it to be like this for purposes only known among their evil selves.

I'd like to add something,from what i can see the htcloggers.apk is also present in custom ROMs that are based on HTC's ROM [ARHD etc].On AOSP ROMs like the CM7/XboarderMOD the .apk isn't there.

+1

thanks for the info!



anyway, here is latest official information.
response from HTC



ROTFL
even apps from android market can exploit this. so htc is saying android market is 'untrusted source'.

I'm very sure these devs removed whatever logging apps present. They hate this kind of things. Since the ROM is theirs, there's no reason to report back to HTC the issues.

Just reading the changelog will tell you ARHD removed htcloggers on 21st september.

The .apk was there on ARHD 3.6.0 that i downloaded and used,didn't realize it was removed from ARHD 3.6.1

At times like these, OSes are all prone to something. However, I don't really hear anything about WP7 and Symbian.

As mentioned numerous times, nothing is perfect. But due to open nature of android, security breaches and malware is easy and becoming increasingly common. As long as the manufacturers react quickly, usually it is alright.
The trouble is now, the breach is caused by HTC own software and worst is, those taiwanese is taking their sweet time while htc android users are being threatened everyday! Poor souls.

I should've guess who start this babbling thread..:-))
Well that's okay as long as it kept tight inside this thread and not spilling all over the place like usual.
I'm heading for more useful thread rather than waste my time here..good day :-P

I afraid someone might spill the beans...

If he try then we will close this thread as the other thread before this :-))
p/s - maybe put a vacation ticket might not be a bad idea after all ~~lol~~

Lol... mod already closed one of someones thread... What do you think about this?

As long as he keep tight inside this thread and not spilling overboard with his nonsense, then i'll pass. Got much better things to do than layan his usual babbling :-)

Haha, someone like to be famous after all.... to prove himself is a techs savvy

Maybe he is trying to gain more stars... post count!?

Tech savvy.? He don't know a d*** about tech especially regarding Android. He sold his SGSII because can't coup up with all the firmware updates. What a joke.!!
Huhh..even my standard six little sister know more about how to updates than our tech savvy here ~~lolol~~

Psst... i think we should stop... later he raging himself again!
SGSII also dunno how to upgrade... so FXXXING funny!
Wah, Standard Six also know.... i want to meet her xD

~~lol~~ Let her finish her studies first. Anyway i'm out of here otherwise he will accuse me of trolling his precious thread. Good day :-)

This post has been edited by waveweaver: Oct 8 2011, 03:45 PM

Good day , this thread is meaningless to add on

Conclusion don't keep sensitive/private data in a Smartphone/device. Intelligence agency or spy will use most basic cellphone to prevent being hack.

---

Added on October 10, 2011, 10:25 pmI dengar @ somewhere feature phone can run Java app(J2ME) also can be hack

This post has been edited by wkkm007: Oct 10 2011, 10:27 PM

Every phone can be hacked. Even satellite phone with secure link is vulnarable.

Every phone, every PC, every Mac, etc can be hacked when connected to Satellites...
I do tell this in the 1st Page if you guys can read it.
I know someone will not read it or will treat it as blank message.

Windows, always put Windows Update for Security Purposes. Want a screen shot? Or you guys can view it by yourself in your PC also...

Androids, update the firmware to get rid of Security issues.

iOS, same. Linux, same. All just update, then, it'll solve the issues.

You guys shouldn't even need to care about this thread, it's going no where and no solutions also. Go read up some solutions, or fixes threads is better and won't waste your time if you're using a HTC device.

droid13579,
He can't get stars(elite tag) or posts like mine if he continues something lousy like this.

---

Added on October 11, 2011, 7:21 amTrue. I don't even bother to read the details of this problem. What for? LOL.
A solution is more useful to me. I think HTC have fixed already by updating the firmware.

This post has been edited by DarkSilver: Oct 11 2011, 07:21 AM

can't u see? (similan is really start to see many stars now with ur responses)

yes, theoretically any device can be hacked finally but HTC has made it very easy to do so with their latest firmware updates.

and firmware updates is supposed to enhance the security, fix bugs...not add them like what HTC seem to have done.

solution? already mention by similan.

1) learn how to root/ flash custom firmware.
2) stop installing apps until HTC provides a fix. Still waiting.

Lastly, Similan is uninterested in stars or elite tags. Similan is not like that. Similan only wants to help others.

Don't feed the troll..!!

http://www.zdnet.com/blog/security/iphone-...lity-again/7544
http://www.zdnet.com/blog/security/iphone-...t;siu-container
http://www.pcworld.com/article/235144/jail...es_it_work.html

when i first saw this thread, my first guess was: it must be created by the legendary similan, and i look to the right abit, my guess was right . anyways, everything has security breaches, just check the above links, even iphone has security breaches, not only android

conclusion: dont bash out on android about 'security issues' when iphone also has security issues. iOS 4.3.3 has a huge safari bug that was exploited by jailbreakme 3.0 and can be used by hackers to hack into the phone to steal personal data.

from pcworld link above: The exact PDF vulnerability, if it becomes known, could potentially be used by less magnanimous hackers to install malware onto your device.

seems like everything u post in android thread is all negative and criticizing android right?

This post has been edited by TheLaptopDudeGuy: Oct 11 2011, 09:36 AM

Okay. Sorry indeed.
You're good finally, from what I've see now, you're not a troll anymore. I am the bad guy, evil guy, troll.

Just wondering, why HTC got such a big flaw...? LG, Samsung, Sony Ericsson? HTC supposes to be the leader of Android. It doesn't matter to me because I don't use phone to put so many security thingy. My PC will do.

---

Added on October 11, 2011, 10:29 am---JOKE---
Android is EVIL you know...?
After using the Android, you'll become EVIL!

After all, the Safari Browser bug got fixed by updating the firmware/application.

Android will do the same as well. Update the firmware/applications. Problem solved.

Our mighty one will not tell anything bad about iOS although he claimed iOS is not perfect.
He'll just go search something on the Internet for the Android, find their bugs and problems. Open a thread here and tell everyone about it.
But, this time, he put the solutions. I think it's OK compared to last time.


This post has been edited by DarkSilver: Oct 11 2011, 10:29 AM

SO TRUE! when got at&t galaxy s2 security flaw, he come to sgs2 thread and start telling everyone a simple google search would tell him that only applies for at&t version, yet he come ask us to 'test'

maybe he doesnt know what does at&t mean


This post has been edited by TheLaptopDudeGuy: Oct 11 2011, 12:20 PM

do not agree with your conclusion. i love android system, even bought 3 high-end android phones before.
i had high hopes that it can match iOS in terms of smoothness, usability, security and features one day.

when u were small, didn't ur parents give u the cane when naughty? it's not that they hate u but instead, they love u and hope that u can improve.

similarly, many parent would also tell u the successful friend/relative who was hardworking, good, and provided to the family and society. not that ur parents think u are inferior, but they tell u bcos they want u to look at successful ppl as examples.

Similan also has the same aspirations for the android family.

this thread will be updated by Similan when HTC issues the fix.

Dont feed ANY troll..!!

Smoothness?
SGS II is faster than iPhone 4 on whatever you can name it literally.

Security?
Subjective, indeed.

Usability and Features?
Subjective as well, but, iOS is superior but not far from Android.

So your saying u dont agree with the fact that even iOS have security issues sometimes?

Then if u have high hopes for android,why do u ALWAYS post negative things here abt android? Actions speak louder than words. This is gonna be my last post here,dont feel like feeding u more post counts. Why dont you go along back to ur home,the ipong thread? And why do u call urself similan? Why cant u just call urself "me"?

This post has been edited by TheLaptopDudeGuy: Oct 11 2011, 01:59 PM

Who's the troll? Please name it. Or PM me if you can't...

---

Added on October 11, 2011, 1:59 pmBecause we mentioned him as "somebody/someone/you know who" here.
So, he tried to act cute? LOL.

Nope. He's not always posting negative stuffs about Android here.
He's only posting the super mini bugs he can find about Android and post it(and exaggerate it) here to be precise.

It's official now. iFags can worship Steve Jobs since he's in the heaven now.

This post has been edited by DarkSilver: Oct 11 2011, 02:03 PM

Most of the time it's called iTroll ~~lololol~~
Just dont waste any of our valuable time in this thread.

We can just treat this thread as a normal thread.
Just reply whatever we can, and enjoy the show.
I think this can help us to kill off some boredom sometime too.

ya..lor. since he want to keep this thread alive, mightt as well we use it to smack itroll head :-))

This post has been edited by waveweaver: Oct 11 2011, 02:32 PM

Wow! It's the LEGEND!!

**Off-Topic**
@waveweaver

now enjoying new 2.3.4 stock rom for my atrix...

as long he don't make a fuss like SGSII thread... i always be neutral

Why don't we use this thread as a chit-chat place

This post has been edited by droid13579: Oct 11 2011, 03:18 PM

thread will be closed until HTC solves the issue.

this is to prevent childish and rude behavior in this thread.

PM me if u have genuine enquire.
Similan is always get to help.

---

Added on October 12, 2011, 7:44 amDear frens,

Similan will embark to Thailand to help provide flood relief.
Internet connection may be intermittent.

Similan sincerely offers apologies for not being able to update this thread while away.but similan will be thinking abt u ppl.

PS: if only HTC had reacted faster...

This post has been edited by Similan: Oct 12 2011, 07:44 AM