FTC to HTC: Patch Vulnerabilities On Smartphones and Tablets

New submitter haberb writes "I always thought my HTC phones were of average or above average quality, and certainly no less secure than an vanilla Android install, but it turns out someone was still not impressed. 'Mobile device manufacturer HTC America has agreed to settle Federal Trade Commission charges that the company failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed sensitive information about millions of consumers at risk.' Perhaps this will push HTC to release some of the ICS upgrades they promised a few months ago but never delivered, or perhaps the reason they fell through in the first place?"

Bad summary.

[msauve]

Granted, HTC was late in delivering ICS to the Thunderbolt. But, contrary to the summary's claim and link ("upgrades they promised a few months ago but never delivered"), it was in fact delivered - a few weeks ago.

Re:Bad summary.

[icebike]

Right. Why do summary writers always try to force the story toward their pet peeve.

Further this FTC settlement had NOTHING to do with what version of Android was installed, but rather the diagnostics and monitoring applications they had installed, mostly at the carriers request.

Both "Carrier IQ", something demanded by carriers, till they got caught, and "Tell HTC" a bug reporting software, ended up leaving logs on the phone that contained private data in clear-text, and transmitted that data to the carriers or to HTC in un-encrypted format. It also had to do with the handling of that data once it was delivered to the carriers and more specifically to HTC.

Why the summary writer had to make it about something else is beyond me.

Apple Phones have too many problems

[tuppe666]

HTC is the only company who sells Android phones that I'd consider buying. Too bad Android apparently has issues with security updates / etc. Sure, blame the vendor... But this seems to be a prevalent problem with Android based phones.

Lets have a little look at security on the iPhone...hmmm you can just fiddle with the power button and making an emergency call then immediately hang up, and it bypasses the passcode.

Perhaps you would have been better with a HTC phone after all ;)

Re:Bad summary.

[anagama]

To be clear, this is what the vulnerability did:

Let me put it another way. By using only the INTERNET permission, any app can also gain at least the following:

        ACCESS_COARSE_LOCATION Allows an application to access coarse (e.g., Cell-ID, WiFi) location
        ACCESS_FINE_LOCATION Allows an application to access fine (e.g., GPS) location
        ACCESS_LOCATION_EXTRA_COMMANDS Allows an application to access extra location provider commands
        ACCESS_WIFI_STATE Allows applications to access information about Wi-Fi networks
        BATTERY_STATS Allows an application to collect battery statistics
        DUMP Allows an application to retrieve state dump information from system services.
        GET_ACCOUNTS Allows access to the list of accounts in the Accounts Service
        GET_PACKAGE_SIZE Allows an application to find out the space used by any package.
        GET_TASKS Allows an application to get information about the currently or recently running tasks: a thumbnail representation of the tasks, what activities are running in it, etc.
        READ_LOGS Allows an application to read the low-level system log files.
        READ_SYNC_SETTINGS Allows applications to read the sync settings
        READ_SYNC_STATS Allows applications to read the sync stats

http://www.androidpolice.com/2011/10/01/massive-security-vulnerability-in-htc-android-devices-evo-3d-4g-thunderbolt-others-exposes-phone-numbers-gps-sms-emails-addresses-much-more/ [androidpolice.com]

Note the date of that article. (!)