Security Vulnerabilities On HTC Android Devices 97
revjtanton writes "In recent updates to some of its devices, HTC introduced a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users' devices, easier remote analysis, or corporate evilness — it doesn't matter." That's because "any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads)" on one of these phones can now grab all sorts of interesting bits from the logged data.
Fix (Score:5, Interesting)
Cyanogen Mod (Score:4, Interesting)
Even more reason to root and flash with CyanogenMod [cyanogenmod.com] or other custom firmware of your choice.
Re:Fix (Score:4, Interesting)
A major vendor is shipping a 'diagnostic' application so fucked that it might as well be a rootkit on a large-but-not-precisely-known number of devices expected to be connected to the internet and in possession of relatively juicy information for most of their operational lives, and nobody in the chain decided that this was maybe a bad idea until 3rd parties discovered it and wrote it up...
This suggests that HTC's "Sense" team might not have any.
Re:Cyanogen Mod (Score:4, Interesting)
(Sorry for using biased language, but I think that denying a user control over hardware they own, especially by an open source project, is just asinine.)
Re:Why even bother specifying INTERNET perms? (Score:2, Interesting)
All users will happily allow something like "Angry Birds" to have internet access, even though it is obvious that it doesn't need it.
[snipped]
The few people who don't like those ads go to the Amazon Appstore for Android and get the pay version of Angry Birds - no more ads.
You just made my own point for me - the paid version of Angry Birds on the amazon app store needs internet access (I just checked!).
Why? It clearly isn't for ads, perhaps its for DLC???
Re:Why even bother specifying INTERNET perms? (Score:2, Interesting)
Cyanogenmod can do this if you enable some of the advanced features. Once the app is installed you can go in where you view the permissions it needs and toggle some of them off. Badly designed apps may crash, but most stuff I've done it to has happily continued running.
True. And if you're still concerned, run Droidwall. I do ... if an app has no need for Internet it goes in the blacklist. If it then fails to run because of some stupid license check, or just the dev being a dick and insisting that his app get out whenever it wants, it gets uninstalled.