HTC reaches settlement with FTC on Android device security issue
Stating that HTC “failed to employ reasonable security” on millions of Android tablets and smartphones, the regulatory body has given HTC 30 days to push out a security patch to devices in order to fix the security holes which had the potential to give HTC applications as well as third-party applications a back-door to all device data and personal information. Moreover, HTC will be subject to security reviews for the next 20 years.
HTC gets to avoid admitting guilt on this issue and is not being fined any monetary damages, but that is about it. The FTC found that HTC’s applications re-delegated permissions which enabled third-party applications to exploit that permission as a vulnerability. Also uncovered was an application installation vulnerability in which HTC installed custom applications that could download and install outside normal Android installation processes. That created another vulnerability for third-party applications to install additional apps without the user’s knowledge.
The last finding had to do with insecure communications mechanisms. Simply put, HTC dropped the ball in using widely accepted methods to secure the communications of logging applications on its devices. HTC Loggers is a customer support and troubleshooting tool which could collect all forms of information that resided on the device. While the logged data was meant to be only accessible by HTC and the carriers, HTC did not secure the communications protocols and thus created a security hole for third-party applications to potentially have unfettered access to all information on a given device.
Given all the patchwork that HTC has to employ over the next month across a multitude of devices (not listed in the FTC’s Consent Order), do not expect the next update to your HTC device to be an upgrade to Android Jelly Bean.
source: FTC (PDF) via Ars Technica
1. tiara6918 (Posts: 1199; Member since: 26 Apr 2012)
Good thing I don't put all my information and accounts on my one x, I usually create a "fake" account that doesn't have my real identity
2. Wiki_jaan (Posts: 650; Member since: 24 Jun 2012)
ur fake account can sync ur data ...............
3. Droid_X_Doug (Posts: 5150; Member since: 22 Dec 2010)
So Maxwell, what do you think a 'settlement' is? By any objective measure, HTC f*cked up as it relates to user privacy. When you are a bad boy (or girl) in an area where the Feds have jurisdiction, it can get painful real fast.
4. lyndon420 (Posts: 1448; Member since: 11 Jul 2012)
"For the next 20 years" is pretty harsh.
7. 14545 (Posts: 975; Member since: 22 Nov 2011)
Not really. If you can't take reasonable measures to protect your customers info, then they deserve it. Personally, after how HTC has screwed me over on the phones I have bought, I love seeing them get in trouble. Maybe if they would revise their update schedules to a reasonable time frame, and not screw us over on the latest software all together, then I might not such a d**k about it.
8. Droid_X_Doug (Posts: 5150; Member since: 22 Dec 2010)
They could have faced criminal sanctions.... Or, been banned from selling their toys in the U.S. A 20 year probation period strikes me as reasonable, given the magnitude of the sins.
5. Mxyzptlk (Posts: 2740; Member since: 21 Apr 2012)
I think they need to slap this onto Google as well, big time.
6. Sdubb3 (Posts: 19; Member since: 22 Jan 2012)
So this was the reason behind the security update I got on this old ass EVO 4G. Lol.