Hope this notice helps htc android users from suffering massive losses and anguish.
Never store your PIN numbers, passwords or personal data on HTC android phones.



HTC apparently modified Android in a way that leaves some models of its phones open to hacks and data theft, researchers reveal.

Security researchers say they've uncovered a flaw in several smartphone models produced by HTC that gives any application that has Internet access the keys to a trove of information on the phone, including e-mail addresses, GPS locations, phone numbers, and text message data.

The researchers, Trevor Eckhart, Artem Russakouskii, and Justin Case, say they informed HTC of the vulnerability on September 24, but after HTC failed to respond to their warning for five days, they went public with their knowledge on Friday.
The security gap in the HTC phones stems from modifications the company made in versions of the Android operating system in EVO and Thunderbolt models. Those changes add a suite of logging tools to the system. "If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in," Russakouskii wrote yesterday at the Android Police website.

That's not the case here, he notes. The modifications made to Android by HTC allow any application that you give permission to access the Internet from the phone access to a plethora of sensitive information on the device. What's more, it also has permission to send the data that it finds wherever it wants on the Net without your knowledge.
"Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the [Android] Market that only asks for the INTERNET permission (to submit scores online, for example), you don't expect it to read your phone log or list of e-mails," Russakouskii explains.
He compares the vulnerability to leaving the keys to your house under the welcome mat and not expecting anyone to find them.

Data that can be peeked at by any app with Internet access include:
E-mail addresses
Last known network and GPS locations.
Phone numbers from phone logs.
SMS data, including phone numbers and encoded text.
System logs, which track everything your apps do, such as logging into secure locations.
System information such as onboard memory, CPU data, running processes and list of installed apps, including permissions they use and your user IDs for them.

In addition to the logger suite, Russakouskii notes, HTC has further modified Android with the addition of something named androidvncserver.apk. While the addition of that app, which is designed to give third parties remote access to a phone, might end up being insignificant, he did find it "suspicious." "The app doesn't get started by default, but who knows what and who can trigger it and potentially get access to your phone remotely?" he asks.
According to Eckhart, there's no way at this time to patch the vulnerability without rooting the phone, which, of course, will void the warranty. If you do hack the phone's OS, you can remove HTC's logger suite, htcloggers.apk, found in /system/app/.
This latest vulnerability exposes the problems that can occur in an open source environment like Android. While it allows phone makers and application developers to make creative changes to the basic system, it can also open the door to abuse of a phone owner's data.


sauce

This post has been edited by Similan: Oct 5 2011, 09:01 AM

my concerns are more for the normal users who are not as tech-savvy like people who visits this forum.

these are the people who usually uses their phones to put PINs, bank accounts, passwords and other important numbers.

*shakes head*

Samsung Androids (confirmed SGS2, not sure abt others like Champ, Ace, etc) also have reported security breach.

sauce

I've already alerted them but so far, the local sgs2 community has not reported in.

This post has been edited by Similan: Oct 3 2011, 04:41 PM

TNMCH

it's not mentioned that Malaysian version is not affected.

on the safe side, better follow the safety precautions.

agree abt ur rule of thumb.
but what is mostly concerning is not androidheads like you, BUT the ppl who are not so tech-savvy.
even the caution message whenever u install an app is so complicated and wordy.
normally ppl just press "OK" or "I Agree".

surely they will just download from the android market bcos naturally, evrybody is assume to be safe.

never in their nightmares cld they imagine the possibility of stolen money or worst, kidnapping by just using a htc android phone.

rooting doesn't make ur android safer, it is just a remedy to a created problem.
custom ROMs are safe? maybe yes, maybe no.
the point is, since userbase is small and limited to androidheads, the possibilities of detecting a major security issue (even though it is there) is very unlikely.

This post has been edited by Similan: Oct 3 2011, 05:45 PM

Chills my heart to imagine the catastrophe may happen if HTC doesn't solve this, FAST!

Suggest this topic is pinned to promote awareness

good 4 u.

but many ppl are using their phones to store personal particulars since they always carry it arnd. furthermore even big companies like airasia, cimb clicks develop apps to complement their business.
nowadays ppl also say that mobile phone with NFC can be used as mobile wallet.

unfortunately, android is still very weak in security aspect with so many malwares, hackware and virus roaming freely unlike iOS which is much more secured and users have peace of mind.

not saying android is entirely lousy and useless, but it's "open" nature leaves it security very weak and prone to attacks by criminals.


@darksaliva

open ur eyes big big, brightness set correctly, read carefully and try to process in ur brain a bit.

htc evo 3d and sensation may had been affected by this massive security breach.



this statement just shows how shallow ur thinking is.
those software patches are for bug squashing and general improvements.
very seldom you see a huge security breach that compromises privacy and personal data.

the more powerful the smartphone becomes, the higher security it should have bcos it has access to a lot of data.
just imagine a criminal rapes and kills ur mother bcos he is able to know where ur mother is, her contacts, etc bcos he has hacked her android phone. what wld u say then? wld u just hide behind keyboard and complain in forum?

the extreme example is required to ensure u get the message properly into ur hard head.

btw, htc was informed of this on 24 sep but no fix until now. it is already october.

exactly. and majority of non-geeks will use what was bundled together with the phone.
cannot imagine the consequences if an evil criminal uploads an app to harvest personal details from the phone.


at first, i supported htc bcos of their innovative HTC Sense software which is great and i could accept their handsets even though it didn't have the nicest screen, fastest processor, or slickest design.

but now.

Show that iOS is easy to exploit? At least a link. Don't just simply type a statement.

How can you call a problem small fry when personal data is easily retrieve by any android app out there? and ppl here thought iPhone users are not tech-savvy.

don't turn this into another keyboard-war.
i'm doing all htc android users (or potential buyers) a big favor by highlighting security concerns so they may be wary.
keep this thread clean, for goodness sake!

the biggest issue here is ...that this disaster happens only when using HTC original firmware!
and yes, if u have the technical capability to root/ jailbreak u shld be aware of the risks or issues related to it.

again, droidfags shld put aside their pride and accept that there is a problem.
this is beneficial rather than defending the obvious flaws with dumbo statements.

yes its true. the world is truly a dangerous place maybe it is easier to con/cheat/criminal when many aspects of our lives is connected.

SO we don't really want to make it much worse by using technology which has massive security vulnerabilities. although not one system is entirely fool-proof, not even iOS

but at least the locks must be in place.
and now it seems HTC has opened all its locks and the poor android user now is spreading his legs for the criminal.

pls do not praise me as noble and kind for doing this as i gain nothing and even subject myself to insults by childish ppl... but actually it is just the least that i can do to help.

until now, the folks at htc still has not released a fix for this.

on a more sinister note, perhaps htc meant it to be like this for purposes only known among their evil selves.

+1

thanks for the info!



anyway, here is latest official information.
response from HTC



ROTFL
even apps from android market can exploit this. so htc is saying android market is 'untrusted source'.

As mentioned numerous times, nothing is perfect. But due to open nature of android, security breaches and malware is easy and becoming increasingly common. As long as the manufacturers react quickly, usually it is alright.
The trouble is now, the breach is caused by HTC own software and worst is, those taiwanese is taking their sweet time while htc android users are being threatened everyday! Poor souls.

can't u see? (similan is really start to see many stars now with ur responses)

yes, theoretically any device can be hacked finally but HTC has made it very easy to do so with their latest firmware updates.

and firmware updates is supposed to enhance the security, fix bugs...not add them like what HTC seem to have done.

solution? already mention by similan.

1) learn how to root/ flash custom firmware.
2) stop installing apps until HTC provides a fix. Still waiting.

Lastly, Similan is uninterested in stars or elite tags. Similan is not like that. Similan only wants to help others.

do not agree with your conclusion. i love android system, even bought 3 high-end android phones before.
i had high hopes that it can match iOS in terms of smoothness, usability, security and features one day.

when u were small, didn't ur parents give u the cane when naughty? it's not that they hate u but instead, they love u and hope that u can improve.

similarly, many parent would also tell u the successful friend/relative who was hardworking, good, and provided to the family and society. not that ur parents think u are inferior, but they tell u bcos they want u to look at successful ppl as examples.

Similan also has the same aspirations for the android family.

this thread will be updated by Similan when HTC issues the fix.

thread will be closed until HTC solves the issue.

this is to prevent childish and rude behavior in this thread.

PM me if u have genuine enquire.
Similan is always get to help.

---

Added on October 12, 2011, 7:44 amDear frens,

Similan will embark to Thailand to help provide flood relief.
Internet connection may be intermittent.

Similan sincerely offers apologies for not being able to update this thread while away.but similan will be thinking abt u ppl.

PS: if only HTC had reacted faster...

This post has been edited by Similan: Oct 12 2011, 07:44 AM