IT Compliance Advisor

Oct 10 2011   6:56PM GMT

Paranoid Android: HTC mobile device security questioned by researchers



Posted by: Ben Cole
Tags:
Android
CIO
mobile device security

October is National Cybersecurity Awareness Month, and the overarching theme this year is to spread awareness of every Internet user’s role in securing their information. In other words, YOU are the first line of defense in protecting your information, so pay attention to security vulnerabilities stemming from your devices.

But certainly not everyone who goes online is overly familiar with the persistent threats. Luckily, it appears some watchdogs are here to help. This was evident when the Android Police blog recently reported a “massive security vulnerability” in HTC’s Android devices.

Android Police researchers found that in recent updates to some of HTC’s devices, the company introduced a suite of logging tools designed to collect user information — way too much information, according to the researchers. Researchers found that on affected HTC devices, any application that requests a single Internet permission (normal for any app that connects to the Web or shows ads) can access:

· The list of user accounts, including email addresses and sync status for each.

· Last-known network and GPS locations, and a limited history of previous locations.

· Phone numbers from the phone log.

· SMS data, including phone numbers.

· System logs likely to include email addresses, phone numbers and other private info.

“If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in,” wrote Android Police blogger Artem Russakovskii when announcing the HTC device security vulnerability. “That is not the case.”

After the flaw was exposed by the Android Police, HTC confirmed that it found in its software a “vulnerability that could potentially be exploited by a malicious third-party application,” and that it was working on a fix. Customers will be notified of how to download and install the security fix, the company said. HTC also urged customers to use caution when downloading, using, installing and updating applications from untrusted sources.

At least HTC moved quickly to correct the problem and inform its customers of the vulnerabilities, right? Well, not so fast. After finding the security lapse, the Android Police contacted HTC on Sept. 24 and received no real response for five business days, after which the Android Police released the information to the public.

Perhaps HTC was waiting to tie in its response to the vulnerabilities with Cybersecurity Awareness Month.

The point to take from the story surrounding HTC mobile device security is that companies are not going to come out and announce when there is a huge risk to using their products — especially those designed for consumers. The problem is the average consumer is not going to know what to look for, and will trust that information is protected when using devices for everyday use.

As shown with the HTC mobile device security issue, this is not always the case. How many more security vulnerabilities are there in other mobile devices that have not been exposed yet? And it’s not just individual consumers that need to be concerned: The spread of personal devices (and their associated security risks) in the workplace make due diligence necessary. People can obviously no longer just assume that they’re protected.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: