HTC is promising to plug a security hole in its Android phones that gives certain mobile apps access to a user's personal information.
, the vulnerability can expose e-mail addresses, network and GPS locations, phone numbers, SMS data, and system logs to apps that connect to the Internet. The flaw exists among HTC's portfolio of Android phones, including the Evo 3D, the Evo 4G, and the Thunderbolt, and has been traced to a logging tool that HTC recently installed during a software update.
In a statement released today, HTC acknowledged the security hole in its software but tried to assuage its users about the impact.
The company also tried to assure its users that it's hard at work developing a fix for the flaw."HTC is working very diligently to quickly release a security update that will resolve the issue on affected devices," the company added. "Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it. We urge all users to install the update promptly. During this time, as always, we strongly urge customers to use caution when downloading, using, installing and updating applications from untrusted sources."
But one of the researchers who uncovered the flaw and shared his initial findings on AndroidPolice seemed dubious about HTC's response.
In another posting at AndroidPolice, researcher Artem Russakovskii said that he "applauds" HTC's attempt to remedy the problem, but he questions whether the patch would just set up some type of "authentication scheme" that would continue to allow personal information to be sent back to HTC or mobile carriers.
"Furthermore, I'd like a clarification on what the Android VNC server, which allows remote access, is doing on affected devices," added Russakovskii. And he cited a number of other services found on HTC devices that he believes could be also be lacking in security.