Artem Russakovskii, Justin Case and Trevor Eckart claim that they have been looking deep inside the software installed on several HTC handsets and “the results are not pretty.”
“In fact, they expose such ridiculously frivolous doings, which HTC has no one else to blame but itself, that the data-leaking Skype vulnerability Justin found earlier this year pales in comparison” says Russakovskii in a weekend newswire posting.
Infosecurity notes that the flaw seems to center on the way that HTC handsets log data – this appears to be partially a feature of the Android fork (version) that HTC has developed and partially a feature of the software that the vendor installs on its smartphone.
Russakovskii says that, if you, as a company, plant these information collectors on a device, you need to be sure the information they collect is secured and only available to privileged services or the user, after opting in.
“That is not the case. What Trevor found is only the tip of the iceberg - we are all still digging deeper - but currently any app on affected devices that requests a single android.permission.INTERNET - which is normal for any app that connects to the web or shows ads - can get its hands on” is affected, he notes.
The researcher says that, normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the Market that only asks for the INTERNET permission, you would not expect it to read your phone log or list of emails.
He adds that a wide variety of further information, including “active notifications in the notification bar, including notification text build number, bootloader version, radio version, kernel version, network info - including IP addresses - full memory info, CPU info” and all manner of additional data is accessed by the logging suite.
So what is the bottom line to this issue?
According to to the researchers, theoretically, it may be possible to clone a device using only a small subset of the information leaked.
“I'd like to reiterate that the only reason the data is leaking left and right is because HTC set their snooping environment up this way. It's like leaving your keys under the mat and expecting nobody who finds them to unlock the door”, he says.
Russakovskii and his colleagues have posted a walk-through video and a proof-of-concept app on their site and claim that, although HTC was notified on September 24, they have had no response.
The security issue can only be solved – at the moment – he says, by either rooting the handset or waiting for an update from HTC. If you do root, he adds, “we recommend immediate removal of Htcloggers (you can find it at /system/app/HtcLoggers.apk).”