HTC Android Users: Massive Vulnerability Uncovered
Oct 2, 2011 | 9:56 pm
#1
Original Poster
FlyerTalk Evangelist
Join Date: Apr 2009
Location: Bye Delta
Programs: AA EXP, UA Silver, HH Diamond, IHG Plat, Hyatt Plat, Marriott Titanium, Nat'l EE, Avis PC, Hertz PC
Posts: 16,637
HTC Android Users: Massive Vulnerability Uncovered
A heads up for those of you who use an Android-based device manufactured by HTC:
http://www.androidpolice.com/2011/10...ses-much-more/
Massive Security Vulnerability In HTC Android Devices (EVO 3D, 4G, Thunderbolt, Others) Exposes Phone Numbers, GPS, SMS, Emails Addresses, Much More
Last edited by javabytes; Oct 2, 2011 at 11:08 pm Reason: Fixed URL
Oct 2, 2011 | 10:30 pm
#2
Join Date: Apr 2005
Location: PHX
Posts: 3,794
Oh, yuck. The short version is that HTC has a high-privilege applet preinstalled on their phone that can access all sorts of sensitive data. It gives this info up to any other applet without any sort of security, acting as a backdoor around the normal Android security.
Oct 3, 2011 | 2:53 am
#4
Join Date: Apr 2010
Location: MCO/FRA
Programs: None anymore
Posts: 799
I would so love to turn an Android device on and be presented 2 options
1. Manufacture ROM (bloated with carrier & vendor crap)
2. Cyanogen ROM (Lean, mean speed demon machine)
Oct 3, 2011 | 4:55 am
#5
FlyerTalk Evangelist
Join Date: Mar 2005
Location: 60137
Posts: 10,499
Oct 3, 2011 | 5:23 am
#6
FlyerTalk Evangelist
Join Date: Jan 2002
Location: Greater DC
Programs: UA plus
Posts: 12,947
Oct 3, 2011 | 6:30 am
#7
Join Date: Aug 2011
Location: Czech republic
Posts: 19
Oct 3, 2011 | 6:38 am
#8
FlyerTalk Evangelist
Join Date: Jan 2002
Location: Greater DC
Programs: UA plus
Posts: 12,947
Additionally, and the implications of this could end up being insignificant, yet still very suspicious, HTC also decided to add an app called androidvncserver.apk to their Android OS installations. If you're not familiar with the definition of VNC, it is basically a remote access server. On the EVO 3D, it was present from the start and updated in the latest OTA. The app doesn't get started by default, but who knows what and who can trigger it and potentially get access to your phone remotely? I'm sure we'll know soon enough - HTC, care to tell us what it's doing here?
Oct 3, 2011 | 7:02 am
#9
In Memoriam
Join Date: Feb 2000
Location: Easton, CT, USA
Programs: ua prem exec, Former hilton diamond
Posts: 31,801
One has to love their response
"HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken."
Really, they don't even verify it as an issue yet? One of the stories says the people 2who discovered this contacted them
After finding the vulnerability, the trio claim that Eckhart contacted HTC on September 24th and HTC didn’t respond to them. So, after receiving no real response for five business days, they’ve decided to release news of the vulnerability to force HTC to fix the problem.
"HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken."
Really, they don't even verify it as an issue yet? One of the stories says the people 2who discovered this contacted them
After finding the vulnerability, the trio claim that Eckhart contacted HTC on September 24th and HTC didn’t respond to them. So, after receiving no real response for five business days, they’ve decided to release news of the vulnerability to force HTC to fix the problem.
Oct 3, 2011 | 11:18 am
#10
Join Date: Feb 2011
Location: Washington D.C. via Sao Paulo via Houston via Washington D.C. via Boston via New York
Posts: 1,172
I always root my android phones...I am running a thunderbolt now with CM7 and there are no VZW apps on it or HTC loggers...so they can't track me, not that I knew about it before
Oct 3, 2011 | 10:26 pm
#13
Join Date: Feb 2011
Location: Washington D.C. via Sao Paulo via Houston via Washington D.C. via Boston via New York
Posts: 1,172
Oct 9, 2011 | 3:19 pm
#15
FlyerTalk Evangelist
Join Date: Oct 2002
Location: Currently in Bloomington, IN, but Normally NYC, CDG, and even POZ or wherever FT takes me.
Programs: Northwest Airlines. MTA pay-per-ride Metrocard; zero-balance Oyster card.
Posts: 14,082
Hmmm... Anyone know if the T-Mobile G2 (almost two years old) is affected?