HTC reaches settlement with FTC on Android device security issue

HTC reaches settlement with FTC on Android device security issue
If you can call this a settlement, then you probably do not want to know what happens when the Federal Trade Commission levies a real punitive action against you.

Stating that HTC “failed to employ reasonable security” on millions of Android tablets and smartphones, the regulatory body has given HTC 30 days to push out a security patch to devices in order to fix the security holes which had the potential to give HTC applications as well as third-party applications a back-door to all device data and personal information. Moreover, HTC will be subject to security reviews for the next 20 years.

HTC gets to avoid admitting guilt on this issue and is not being fined any monetary damages, but that is about it. The FTC found that HTC’s applications re-delegated permissions which enabled third-party applications to exploit that permission as a vulnerability. Also uncovered was an application installation vulnerability in which HTC installed custom applications that could download and install outside normal Android installation processes. That created another vulnerability for third-party applications to install additional apps without the user’s knowledge.

The last finding had to do with insecure communications mechanisms. Simply put, HTC dropped the ball in using widely accepted methods to secure the communications of logging applications on its devices. HTC Loggers is a customer support and troubleshooting tool which could collect all forms of information that resided on the device. While the logged data was meant to be only accessible by HTC and the carriers, HTC did not secure the communications protocols and thus created a security hole for third-party applications to potentially have unfettered access to all information on a given device.

Given all the patchwork that HTC has to employ over the next month across a multitude of devices (not listed in the FTC’s Consent Order), do not expect the next update to your HTC device to be an upgrade to Android Jelly Bean.

source: FTC (PDF) via Ars Technica

FEATURED VIDEO

6 Comments

1. tiara6918

Posts: 2263; Member since: Apr 26, 2012

Good thing I don't put all my information and accounts on my one x, I usually create a "fake" account that doesn't have my real identity

2. Wiki_jaan

Posts: 704; Member since: Jun 24, 2012

ur fake account can sync ur data ...............

3. Droid_X_Doug

Posts: 5993; Member since: Dec 22, 2010

So Maxwell, what do you think a 'settlement' is? By any objective measure, HTC f*cked up as it relates to user privacy. When you are a bad boy (or girl) in an area where the Feds have jurisdiction, it can get painful real fast.

5. Mxyzptlk unregistered

I think they need to slap this onto Google as well, big time.

9. Droid_X_Doug

Posts: 5993; Member since: Dec 22, 2010

And Apple, too.

6. Sdubb3

Posts: 19; Member since: Jan 22, 2012

So this was the reason behind the security update I got on this old ass EVO 4G. Lol.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.