HTC has responded to a new security hole discovered on several of its Android powered handsets that leaves personal data vulnerable to devious app developers.
The Taiwanaese phone-maker has admitted to the existence of a flaw, uncovered by the eagle-eyed folks over at Android Police, involving a single Android permission - android.permission.INTERNET – that enables applications to access the web, which is an otherwise innocuous operation.
According to the findings by Tevor Eckhart, it appears that any app that requests said permission can also gain access to sensitive data, such as the list of user accounts, including email addresses and sync status for each, the last known GPS and network locations of the device with history of previous locations, phone numbers from the call log, SMS data and system logs which includes everything on running apps.
The fault apparently lies with HTC’s own modifications of Android with its bespoke Sense UI and is believed to affect a number of its existing and upcoming handsets such as the HTC Evo 3D, Sensation, Vigor and more.
HTC released a statement acknowledging the vulnerability and urged users to download an over the air update it plans to rollout soon to tackle the exploit.
“HTC takes claims related to the security of our products very seriously. In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers’ data, there is a vulnerability that could potentially be exploited by a malicious third-party application.
"A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability."
“HTC is working very diligently to quickly release a security update that will resolve the issue on affected devices. Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it. We urge all users to install the update promptly. During this time, as always, we strongly urge customers to use caution when downloading, using, installing and updating applications from untrusted sources.”