Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Android Privacy Security Your Rights Online

Security Vulnerabilities On HTC Android Devices 97

revjtanton writes "In recent updates to some of its devices, HTC introduced a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users' devices, easier remote analysis, or corporate evilness — it doesn't matter." That's because "any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads)" on one of these phones can now grab all sorts of interesting bits from the logged data.
This discussion has been archived. No new comments can be posted.

Security Vulnerabilities On HTC Android Devices

Comments Filter:
  • No one wants to track us!!

  • Fix (Score:5, Interesting)

    by Adam Zweimiller ( 710977 ) on Sunday October 02, 2011 @01:59PM (#37584392) Homepage
    If you are rooted, you can use Titanium Backup to uninstall HTC Loggers or you can manually delete HTCLoggers.apk from /system/app/.
    • Re:Fix (Score:5, Informative)

      by stephanruby ( 542433 ) on Sunday October 02, 2011 @02:48PM (#37584646)

      One silver lining at least is that

      HTC is one of the very few hardware manufacturers that does provide official instructions for rooting [htcdev.com] your own device.

    • I have Terminal Emulator. I cd to /system/app , and ls tells me there's no HTCLoggers.apk . Is it hidden somehow? I think the phone is up to date with all offered updates. Is there any way to test whether this little bugger is actually installed on my phone?

    • If you are rooted, you can use Titanium Backup to uninstall HTC Loggers or you can manually delete HTCLoggers.apk from /system/app/.

      If you are rooted you can just install Cyanogenmod and forget about it.

  • Cyanogen Mod (Score:4, Interesting)

    by Anonymous Coward on Sunday October 02, 2011 @02:19PM (#37584484)

    Even more reason to root and flash with CyanogenMod [cyanogenmod.com] or other custom firmware of your choice.

    • Problem is, you lose HTC Sense, which is one of the best UIs for Android.

      • I recently installed cyanogenmod on my HTC Sensation... specifically to get rid of the Sense UI.

      • What else do you lose if you root an HTC (Evo Shift 4G) and replace with CyanogenMod or some other comprehensive Android OS?

        • Re:Cyanogen Mod (Score:4, Informative)

          by Miamicanes ( 730264 ) on Sunday October 02, 2011 @06:41PM (#37586078)

          You don't lose SenseUI from *rooting*, you lose SenseUI from replacing its stock ROM with most community Android builds. The main complaint today about most factory ROMs is that there's no graceful way to pick and choose what you want to keep. To a very, very large extent, you can either poke around and rearrange the furniture a bit (leaving most of the original stuff in place), or you can blow it all away and end up with something that often isn't quite as polished or pretty as what you had before.

          The main problem is that the Android team largely left it up to manufacturers to implement core stuff like the Dialer app, and never formally defined how a "Dialer" should interact with a "Phonebook" or "Calendar". So what happens is that someone makes a custom ROM, tries tweaking the Dialer, discovers he can't, blows it away and replaces it, then discovers that it can't seamlessly integrate with anything else on the phone because it doesn't know how to interact with the phonebook or calendar. SO... he reverse engineers the phonebook and calendar on HIS phone, gets it to work with his Dialer of choice, then others try to use it and it blows up on their phones because the phonebook and calendar on THEIR phones communicates in a different way than the phonebook and calendar on HIS phone.

          THIS is what people really mean when they talk about Android's "fragmented" frameworks -- there's no official standard for how a modular and extensible dialer app should work or interact with the rest of the system, so every new Dialer ends up being specific to a very small specific group of phones, and version upgrades that upgrade the Dialer app end up breaking everything that was based on the old version's reverse-engineered behavior. SenseUI does things one way, Touchwiz does things another, Motoblur does them a third, and AOSP is off in its own world with several other ways for different families of Dialers+phonebooks to interact with each other and the rest of the world.

          I believe one of Google's goals for ICS has been to formally define aspects of the "phonebook/contacts/schedule" system and standardize the intents, so that at least going forward manufacturers who properly implement them will have phones that can be incrementally tweaked without having to blow everything away and throw the baby out with the bathwater the way you (mostly) do now.

          • Is there at least a grid or DB somewhere of phones vs firmwares that indicates which OEM features are covered, and perhaps by which optional replacement? I thought phone fans were obsessive about collecting those kinds of details about the objects of their fetish.

            • The problem is that it's hard enough to keep track of all the different Android builds available for *your own* phone, and possibly its close cousins, without even thinking about trying to do it for other brands too. Just look at the forums for Cyanogen. The guys trying to port to to Samsung phones can barely carry on a coherent conversation with the guys who've ported it to HTC phones, because their stock firmware is so architecturally different. You'd think they'd be similar because they're all ARM-based,

              • You'd think they'd be similar because they're all ARM-based, overwhelmingly use Qualcomm radio chipsets, and all theoretically run Android... but software-wise the differences start at the kernel and device drivers, and just explode from there.

                Now you understand why Samsung just hired Steve Kondik, founder of the Cyanogenmod project. They need someone like him very badly. Besides I, for one, won't consider a device if I can't get rid of the stock firmware and put Cyanogenmod (or another decent third-party ROM) on it. If nothing else, I simply do not trust the vendors and the carriers to play straight with me on the operating system.

                You also have to give a lot of credit to the Cyanogen crew, when you look at the sheer number of supported device

                • So which rooted firmware would you install on an HTC Evo Shift 4G, that would still run every app in the Android Market (and probably any other app, including ones I make myself with the SDK)? I really don't love the HTC Sense "desktop", but I don't want to live in some fork where every app I install has me second-guessing the firmware choice. And I certainly don't want to live with HTC's attacks like this one - which is a sign of things to come from HTC.

                  • Well, you'd have to check cyanogenmod.com [cyanogenmod.com] to see if your phone is on the list of supported devices. I've been running various CM versions continuously for almost three years now, and have yet to find an app that won't run. Quite the opposite: generally they perform better than under the equivalent stock release.

                    Yeah, I agree about HTC: that's too bad. I don't know if they've just gone "evil", or if this is an example of the known-evil carrier influence, but I stopped running stock firmware on any of my p
                    • For the sake of accuracy, the only carrier known to have ever done that in the US is AT&T, and they appear to have quit doing it for new phones going forward from the Infuse, and supposedly are unlocking older phones as they roll out periodic updates over the next few months. Now, whether AT&T will KEEP leaving them unlocked if it loses its fight to buy T-Mobile, and quits trying to publicly pretend that it's non-Evil, is anybody's guess.

                    • Will Sprint know that I've rooted my phone? How about if I enable WiFi hotspot on an unlimited data 4G phone... other than by auditing my total consumption and inferring? If they do guess, will I have violated some contract, or even just given them an excuse to cancel my contract?

                      If not, it seems there's practically nothing to lose except the HTC SenseUI, which seems worth losing. And in its absence, perhaps inspiration to write a different GUI shell myself, or with others.

                    • Will Sprint know that I've rooted my phone? How about if I enable WiFi hotspot on an unlimited data 4G phone... other than by auditing my total consumption and inferring? If they do guess, will I have violated some contract, or even just given them an excuse to cancel my contract?

                      If not, it seems there's practically nothing to lose except the HTC SenseUI, which seems worth losing. And in its absence, perhaps inspiration to write a different GUI shell myself, or with others.

                      Well, right now I have six different so-called "home apps" loaded on my G2. Some are variants of the stock launcher, others are completely and totally different. Sometimes I switch between them depending upon what I'm doing.

                    • For the sake of accuracy, the only carrier known to have ever done that in the US is AT&T

                      Okay, I'll take your word for that. I've never had a smartphone on anything other than T-Mobile at this point. On the other hand, even T-Mobile disallowed tethering apps early on (my first Android device was the venerable G1.) They eventually did a complete about-face on that score, and I haven't had any grief about non-Market apps or tethering or, well, anything else really. Which is why I was very upset when I first heard about the buyout.

                      The upper management of AT&T (or rather, SBC) should be in i

                    • Well, strictly speaking, they didn't "block" them, they just didn't allow them to be shown in Android Market. They made it non-easy for unsophisticated users, but didn't actually make it *hard* for regular users the way AT&T did.

                      Now, if they started poisoning DNS to make their domain appear to be invalid, or started to actually intercept and mangle http requests to their web site, that would be much more incrementally-evil and condemnation-worthy. On a scale of 1 to 10:

                      Filtering from Android Market: 2
                      DN

                • > Now you understand why Samsung just hired Steve Kondik, founder of the Cyanogenmod project.
                  > They need someone like him very badly.

                  You're absolutely right. Actually, Steve will help Samsung a lot, because for basically the cost of one happy full-time employee, they've effectively outsourced the long-term maintenance of their phones' firmware to dozens to hundreds of enthusiastic, highly-skilled unpaid volunteers (many of whom would be VERY expensive to hire for real as full-time employees). Samsung

                  • I am very pleased that my post gave you two an excuse to discuss this subject so informedly and insightfully. Thanks for sharing it with me - and with us :).

              • So which rooted firmware would you install on an HTC Evo Shift 4G, that would still run every app in the Android Market (and probably any other app, including ones I make myself with the SDK)? I really don't love the HTC Sense "desktop", but I don't want to live in some fork where every app I install has me second-guessing the firmware choice. And I certainly don't want to live with HTC's attacks like this one - which is a sign of things to come from HTC.

            • Is there at least a grid or DB somewhere of phones vs firmwares that indicates which OEM features are covered, and perhaps by which optional replacement? I thought phone fans were obsessive about collecting those kinds of details about the objects of their fetish.

              This [communityrelease.com] may be helpful to you.

              • Ah - would you limit your replacement firmware choice to what that form shows is available for a given phone/orig-OS?

                • Ah - would you limit your replacement firmware choice to what that form shows is available for a given phone/orig-OS?

                  That's just one list and not all-inclusive. There are lots of third-party ROMs. Once you have your phone rooted, you can download a program called ROM Manager from the market: it will install a custom recovery partition and allow you to back up and restore your existing OS and applications, and will flash a number of the most popular mods, including Cyanogen and MIUI. It will only show ROMs that are compatible with your particular device.

        • Same question I have(as a Evo Shift owner)...
          • Reading the other replies in this thread, it seems that nothing else is lost, and much is gained - if you don't mind being unconventional.

            • Yeah, so it seems. Being unconventional is no problem, loss of functionality or reliability is, hopefully neither will be. From the looks of it, the GB 2.3.3 rom can always be reloaded on the phone so it seems I have no reason not to give CM7 a whirl.
      • Problem is, you lose HTC Sense, which is one of the best UIs for Android.

        In that case try one of the Virtuous Sense ROMs. They work very well, but in my case I have a T-Mobile G2, so I had to installed engineering bootloader in order re-partition my flash to allow enough space for the OS. I ended up decided that Sense wasn't for me anyway, and went back to my Cyanogenmod.

        • Nah, I've had my fill of Android for the time being - I'm going back to the iPhone later this week.

          Thanks for the suggestion tho, I hope it helps someone else reading this thread!

    • Re:Cyanogen Mod (Score:4, Interesting)

      by izomiac ( 815208 ) on Sunday October 02, 2011 @03:54PM (#37585050) Homepage
      Amusingly enough, the core CyanogenMod developers have made it abundantly clear [cyanogenmod.com] that they vastly prioritize the ability of vendors to spy on users over the user's right to control who has access to personally identifiable data.

      (Sorry for using biased language, but I think that denying a user control over hardware they own, especially by an open source project, is just asinine.)
      • by Anonymous Coward

        Thanks for pointing me to this one, I *was* on the verge of buying a new phone, and the Android beasties looked tempting especially after a bit of rooting, but hey, I've been happy with 'dumb' phones up till now, I think I'll stick with them..

        I have to ask the question that the developer of the patch sort-of asked, wtf is Android doing exposing the device IMEI number, SIM serial numbers and files, contents of Contacts lists and SMS message stores, etc to any sort of app for in the first instance? (well, he

        • by msauve ( 701917 )
          "wtf is Android doing exposing the device IMEI number, SIM serial numbers and files, contents of Contacts lists and SMS message stores, etc to any sort of app for in the first instance?"

          Well, in the first place, an app has to demand access, and receive permission from the user before it can access such things. Every time you install an app, a list of permissions to be granted is present to the user for their permission. Now, it may be the case that most users just blindly hit "accept," but that's not an OS
          • by SuperKendall ( 25149 ) on Sunday October 02, 2011 @09:30PM (#37586832)

            Every time you install an app, a list of permissions to be granted is present to the user for their permission. Now, it may be the case that most users just blindly hit "accept," but that's not an OS issue.

            Yes it is. By having a security model that makes it more likely users will accept, that OS has introduced a security flaw.

            A better approach is to grant permission at first time of access to a resource, so that you can make a judgement in context of what the app is asking for. Possibly some permissions should be asked for up front anyway, but not all... And by breaking them apart users would think more about granting them.

        • by Rich0 ( 548339 )

          I suspect that "their" motive is to keep their options open, and they're not going to get job offers from phone vendors by making it harder to monetize the platform. Steve is now employed by a phone vendor so I doubt he'll ever shake things up that much.

          There are now 3rd-party apps that will block these APIs, which makes me less annoyed with Android.

          Android is FOSS, so you could always make a "PrivacyMod" distro that just tracks CyanogenMod but adds a few patches like these sorts of things. That would be

  • Seems to be a mind is willing, but the flesh is weak situation with the droid devices. Certainly the permissions model makes lots of sense for the type of device, but the implementations are wanting.

  • Seriously, why bother - users don't actually care whether an app needs internet access or not, they just use the app anyway. For example, I've developed an app doesn't require internet access, yet it is still less popular than a similar app (which has less functionality) that happily uploads your private data to it's servers.

    Honestly, if the users themselves don't mind sending something like their menstruation data to a third-party, why bother with an app that guarantees privacy? The privacy apps will just

    • Your point is mostly true, but I think there are legitimate cases to call out internet permissions. I have installed a password manager that doesn't have internet permissions. If it did have it, then it could send the passwords to an internet server someplace. So I honestly checked that the program did not have internet permissions, and would not have installed it if it did have them.
      • Your point is mostly true, but I think there are legitimate cases to call out internet permissions. I have installed a password manager that doesn't have internet permissions. If it did have it, then it could send the passwords to an internet server someplace. So I honestly checked that the program did not have internet permissions, and would not have installed it if it did have them.

        My point is fully true - I went to the android market now and did a search for "password manager" - of the first five (ordered by relevance) results, only ONE (Yes, you read that correctly) does not allow internet access. Let's call them A, B, C and D and see how they compare:

        A - internet access required, 100k to 500k installs
        B - no internet access required, 10k to 50k installs
        C - internet access required, 100k to 500k installs
        D - internet access required, 10k to 50k installs
        E - internet access requi

        • by nebular ( 76369 )

          The trouble is that any app that shows ads, requires internet access to get the ads.

          One of the major revenue streams in the android market are those ads as android users are much less likely to pay for an app.

          What Google needs to do is separate the ad internet connection from any other internet connection.

          • You know that sounds like a solid idea, but I scratch my head at the specific implementation of it. If you say that internet connections for ads are a separate permission, then would Google maintain a white list of ad providers? And then for ad providers, there'd need to be some policing to check that info going to the ad servers doesn't contain personal info.

            Maybe the way to handle it is to have a separate Android OS advertising API that manages the request sent to an ad provider, disallowing any possibili

      • by robmv ( 855035 )

        If you want to more assurance that your passwords aren't leaked to the internet don't install any other application with internet permission from the same developer. Two apps can share files if they are signed with the same key. The password application can still send the passwords to any other installed application using Intents too

  • For grumpy HTC owners that want to bitch a little or get them to fix things... http://www.htc.com/us/about/contact-by-email [htc.com]
  • How do I delete this new attack from HTC? If I can't just delete it, but instead I have to root the phone and install an Android OS not from HTC or my carrier, where is the complete list of what I'll lose when I do so? And instructions for doing it?

    And where's the NY attorney general phone#, so I can report this hellish violation of any contract I had with HTC, and general privacy invasion?

  • The security community needs to stop pushing mobile based token authentication. There is no reason why mobile OS's should get some kind of protected status vs their notebook counterparts. In my neck of the woods bad guys just forward all a victims calls for a few hrs anyway regardless of OS but clearly the trojan writers can make the usb jump to the users phone (EU charging mandate now) and carry on the same old tricks.
  • by Wovel ( 964431 )

    Good Job HTC.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...