HTC cooking up fix for security flaw

Responding to a security vulnerability discovered in its Android phones, HTC says it's aware of the problem and is working on an update to resolve it.

HTC Thunderbolt
HTC Thunderbolt Sarah Tew/CNET

HTC is promising to plug a security hole in its Android phones that gives certain mobile apps access to a user's personal information.

Recently discovered by a trio of researchers, the vulnerability can expose e-mail addresses, network and GPS locations, phone numbers, SMS data, and system logs to apps that connect to the Internet. The flaw exists among HTC's portfolio of Android phones, including the Evo 3D, the Evo 4G, and the Thunderbolt, and has been traced to a logging tool that HTC recently installed during a software update.

Related stories:
• Thunderbolt, other HTC phones have big security hole, report claims
• Security duo finds another pair of vulnerabilities in Android
• Android hole could be used to disable antivirus apps

In a statement released today, HTC acknowledged the security hole in its software but tried to assuage its users about the impact.

"HTC takes claims related to the security of our products very seriously. In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers' data, there is a vulnerability that could potentially be exploited by a malicious third-party application," the company said in its statement. "A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability."

The company also tried to assure its users that it's hard at work developing a fix for the flaw.

"HTC is working very diligently to quickly release a security update that will resolve the issue on affected devices," the company added. "Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it. We urge all users to install the update promptly. During this time, as always, we strongly urge customers to use caution when downloading, using, installing and updating applications from untrusted sources."

But one of the researchers who uncovered the flaw and shared his initial findings on AndroidPolice seemed dubious about HTC's response.

In another posting at AndroidPolice, researcher Artem Russakovskii said that he "applauds" HTC's attempt to remedy the problem, but he questions whether the patch would just set up some type of "authentication scheme" that would continue to allow personal information to be sent back to HTC or mobile carriers.

"Furthermore, I'd like a clarification on what the Android VNC server, which allows remote access, is doing on affected devices," added Russakovskii. And he cited a number of other services found on HTC devices that he believes could be also be lacking in security.