HTC reaches settlement with FTC on Android device security issue
Stating that HTC “failed to employ reasonable security” on millions of Android tablets and smartphones, the regulatory body has given HTC 30 days to push out a security patch to devices in order to fix the security holes which had the potential to give HTC applications as well as third-party applications a back-door to all device data and personal information. Moreover, HTC will be subject to security reviews for the next 20 years.
HTC gets to avoid admitting guilt on this issue and is not being fined any monetary damages, but that is about it. The FTC found that HTC’s applications re-delegated permissions which enabled third-party applications to exploit that permission as a vulnerability. Also uncovered was an application installation vulnerability in which HTC installed custom applications that could download and install outside normal Android installation processes. That created another vulnerability for third-party applications to install additional apps without the user’s knowledge.
The last finding had to do with insecure communications mechanisms. Simply put, HTC dropped the ball in using widely accepted methods to secure the communications of logging applications on its devices. HTC Loggers is a customer support and troubleshooting tool which could collect all forms of information that resided on the device. While the logged data was meant to be only accessible by HTC and the carriers, HTC did not secure the communications protocols and thus created a security hole for third-party applications to potentially have unfettered access to all information on a given device.
Given all the patchwork that HTC has to employ over the next month across a multitude of devices (not listed in the FTC’s Consent Order), do not expect the next update to your HTC device to be an upgrade to Android Jelly Bean.
source: FTC (PDF) via Ars Technica
1. tiara6918 posted on 23 Feb 2013, 03:25 0 0
Good thing I don't put all my information and accounts on my one x, I usually create a "fake" account that doesn't have my real identity
2. Wiki_jaan posted on 23 Feb 2013, 04:51 1 0
ur fake account can sync ur data ...............
3. Droid_X_Doug posted on 23 Feb 2013, 05:28 0 0
So Maxwell, what do you think a 'settlement' is? By any objective measure, HTC f*cked up as it relates to user privacy. When you are a bad boy (or girl) in an area where the Feds have jurisdiction, it can get painful real fast.
7. 14545 posted on 23 Feb 2013, 10:22 0 0
Not really. If you can't take reasonable measures to protect your customers info, then they deserve it. Personally, after how HTC has screwed me over on the phones I have bought, I love seeing them get in trouble. Maybe if they would revise their update schedules to a reasonable time frame, and not screw us over on the latest software all together, then I might not such a d**k about it.
8. Droid_X_Doug posted on 23 Feb 2013, 11:02 0 0
They could have faced criminal sanctions.... Or, been banned from selling their toys in the U.S. A 20 year probation period strikes me as reasonable, given the magnitude of the sins.
5. Mxyzptlk posted on 23 Feb 2013, 09:34 0 5
I think they need to slap this onto Google as well, big time.
6. Sdubb3 posted on 23 Feb 2013, 10:08 0 1
So this was the reason behind the security update I got on this old ass EVO 4G. Lol.