Monday, October 03, 2011

HTC bug exposes device logs to any apps with basic Internet access

HTC's Sense UI, which has been lauded by some users and reviled by many, is at the heart of a huge security risk on many of its newer devices. The site Android Police, with the assistance of custom firmware developer Trevor Eckhart, discovered the security risk.

Among the phones that have been identified as problematic are the Evo 3D, Evo 4G, and Thunderbolt. Other phones, may also be at issue, such as the myTouch 4G Slide, and the Sensation.

What's happening is that HTC has introduced logging tools to its latest releases, that insecurely log private data. What worse is that the data is accessible to any app that has Internet access.

That's right, basic Internet access allows apps to get their hands on the following info (and there may be more) because of the HTC security FUBAR: user accounts, last known network and GPS locations as well as a limited previous history of locations, phone numbers from the phone log, SMS data, and system logs (both kernel/dmesg and app/logcat).

The tools also have no login checks, although they include their own set of extensive command systems. The tools even have root-level privileges for some of their functionality.

HTC even includes a program called androidvncserver which, as it might sound, is a VNC server that could be used to remotely control the device. The service isn't started by default, but it's unclear exactly what purpose it has (aside from being some sort of VNC server, that is, like why does HTC install it?).

Roku Digital Video Player.10,000 + Videos to WatchAndroid Police and Eckhart said they reported their findings to HTC and gave them several days to respond before going public with the information. There has been no response from HTC, either publicly or privately.

It's unclear just exactly how damaging this vulnerability could be in the wild, but its reminiscent of the iPhone logging file, and certainly nothing that an end user would want stored on their device. Motorola and Samsung owners are likely sighing with relief, about now.

Watch a video on the issue below.

No comments: