There is a serious security issue with a variety of HTC Android phones that enables any app with Internet permissions to access a huge amount of private data on the device, including call logs, email addresses, SMS messages, last known GPS location and more. The problem was introduced via an update to the HTC phones that installed a tool called HTCLogger that collects the data.
The issue was discovered late last week and researchers developed a proof-of-concept app that shows how much data any arbitrary app can access on the affected devices, which include the EVO 4G, EVO3D, Thunderbolt and others. The leak of what should be private data is enabled by the presence of the HTCLogger tool, according to a report on the Android Police site, and any app installed on an affected device that has Internet permissions can then access the data cache via a local port. Many Android apps have the android.permission.INTERNET permission by default.
“Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the Market that only asks for the INTERNET permission (to submit scores online, for example), you don’t expect it to read your phone log or list of emails,” the report from Android Police says.
HTC said in an emailed statement that the company is looking into the issue.
“HTC takes our customers’ security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we’re able to determine the accuracy of the claim and what steps, if any, need to be taken,” the statement said.
The list of functions and information that the HTCLogger app can access is long, and includes both coarse and fine location data, network information, IP address, WiFi state, detailed data on the OS version and kernel, account information on the device, system logs and other data. The HTC tool was apparently meant as a way for developers to get detailed information about what is causing problems on a device. However, as the Android Police research shows, that data also can be accessed by a long list of other apps and used for other purposes.
The problem only affects HTC Android phones with the stock Sense formware installed. Users who have rooted their phones may be able to delete the logging tool themselves. The file is located at /system/app/HtcLoggers.apk, according to the Android Police report.
Security researcher Jon Oberheide, who has discovered a number of Android vulnerabilities in the last couple of years, said that while the data leak produced by the HTCLogger is a serious issue that needs to be fixed, but that many of the same services and functions can be accessed in other ways.
“One can achieve the same privileges via a number of other vectors: By rooting the device via a privilege escalation. By silently installing new apps with arbitrary permissions without user approval like we demonstrated with our Angry Birds PoC and again
more recently in our video. By just requesting those permissions and convincing the user to approve them. After all, who really looks at the permissions and doesn’t install an app because they might be requesting a few unnecessary ones?” Oberheide said.