Stating that HTC “failed to employ reasonable security” on millions of Android tablets and smartphones, the regulatory body has given HTC 30 days to push out a security patch to devices in order to fix the security holes which had the potential to give HTC applications as well as third-party applications a back-door to all device data and personal information. Moreover, HTC will be subject to security reviews for the next 20 years.
HTC gets to avoid admitting guilt on this issue and is not being fined any monetary damages, but that is about it. The FTC found that HTC’s applications re-delegated permissions which enabled third-party applications to exploit that permission as a vulnerability. Also uncovered was an application installation vulnerability in which HTC installed custom applications that could download and install outside normal Android installation processes. That created another vulnerability for third-party applications to install additional apps without the user’s knowledge.
The last finding had to do with insecure communications mechanisms. Simply put, HTC dropped the ball in using widely accepted methods to secure the communications of logging applications on its devices. HTC Loggers is a customer support and troubleshooting tool which could collect all forms of information that resided on the device. While the logged data was meant to be only accessible by HTC and the carriers, HTC did not secure the communications protocols and thus created a security hole for third-party applications to potentially have unfettered access to all information on a given device.
Given all the patchwork that HTC has to employ over the next month across a multitude of devices (not listed in the FTC’s Consent Order), do not expect the next update to your HTC device to be an upgrade to Android Jelly Bean.
source: FTC (PDF) via Ars Technica