Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Android Government Security Windows Your Rights Online

FTC to HTC: Patch Vulnerabilities On Smartphones and Tablets 111

New submitter haberb writes "I always thought my HTC phones were of average or above average quality, and certainly no less secure than an vanilla Android install, but it turns out someone was still not impressed. 'Mobile device manufacturer HTC America has agreed to settle Federal Trade Commission charges that the company failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed sensitive information about millions of consumers at risk.' Perhaps this will push HTC to release some of the ICS upgrades they promised a few months ago but never delivered, or perhaps the reason they fell through in the first place?"
This discussion has been archived. No new comments can be posted.

FTC to HTC: Patch Vulnerabilities On Smartphones and Tablets

Comments Filter:
  • Cyanogen Mod. (Score:5, Interesting)

    by pecosdave ( 536896 ) on Saturday February 23, 2013 @07:39PM (#42992593) Homepage Journal

    The best software patch I've found for HTC products, though I have tried others.

    • Not just for HTC phones. I'd be tempted to flash CyanogenMod on any supported phone if it's not a Nexus device (and even then there are advantages with CM, especially with older Nexus devices that were deemed not powerful enough for 4.x).

      • Not just for HTC phones. I'd be tempted to flash CyanogenMod on any supported phone if it's not a Nexus device (and even then there are advantages with CM, especially with older Nexus devices that were deemed not powerful enough for 4.x).

        In my experience, cyanogen is the best android distro there is. If you can get an official build or an unofficial port of it for your device, you should be running it.

        • In my experience, cyanogen is the best android distro there is. If you can get an official build or an unofficial port of it for your device, you should be running it.

          I'm not arguing, but as a happy "stock" droid 4.2.2 user on my Samsung Galaxy Nexus, I would be interested to know what makes it better. I seriously considered CM when I had a Sony/Ericsson Xperia X10 Mini Pro piece of abandonware, and was in fact making preparations to install CM when that machine died.

          As a follow-up question, with subsequent upgrades of Cyanogen, do they follow a non-destructive procedure similar to Google's with Nexus devices, or do I have to blow away all my apps, settings etc every t

          • by poity ( 465672 )

            Nexus device owners should stick to stock, since they get the fastest updates and thus the best security. Only the people who own devices whose manufacturers are slow to release updates should consider modding.

    • I haven't tried Cyanogen yet but I agree entirely. HTC hardware is right up there with the best but the software ranges from okay to an excercise in frustation and one recent upgrade actually cost me the ability to share files with my Linux computer. Then in frustration I borrowed my wife's Windows laptop and it was only after half an hour that I could share files on that and then only by systematically turning off every bit of HTC software that it had installed on her laptop.

      HTC make lovely phones that l
      • Re:Cyanogen Mod. (Score:5, Interesting)

        by puto ( 533470 ) on Saturday February 23, 2013 @08:54PM (#42992947) Homepage
        I am a tech support manager at one of the largest cell carriers in the US, and while HTC might have nice hardware, they are very shoddily made and usually about 3 months into it 40-60% of the phones crap out multiple times and we have to end up giving out Samsung as replacements. Which is why you see the HTC 1X selling new for 99 cents, because it is a horrible piece of crap.
        • That's really interesting. My experience, and I'm on my fourth HTC (and possibly last depending on how well Cyanogen goes). I've never had any hardware problems. I don't even cringe when I accidentally drop my phone onto concrete now because I know it won't break.

          Which do you recommend as the better quality brands? The Samsungs have lovely specs but they're huge and look seriously ugly. There just doesn't seem to be much of anyone else in the HD range where I'm looking.
          • I've got an HTC One V. My power button started going out about 3 weeks after I got the phone. As in I had to fiddle with it to turn the phone on/off. HTC said to back everything up and send it to them, they'd get it back to me in 4-6 weeks. Overnight shipping both ways wasn't an option. I don't have a landline so I lived with it hoping for the best. After 3 months it pretty much didn't register, it's a bitch to turn the phone on.

            Google shows others have this issue and suggested using a silicon spray o

            • My biggest issue with my HTC One V is that it goes into super deep sleep and I miss phone calls and alarms do not go off. Alarms will go off when I turn the phone back on after it is usually too late. (Note: None of the free alarm apps help as I've tried the best 3 of them) What does help is keeping the thing charged. The other is that the ringer volume sometimes does not match settings and rebooting the phone fixes the volume control.

              At least they fixed the battery issue in the Nov/Dec update. There we

        • they are very shoddily made and usually about 3 months into it 40-60% of the phones crap out multiple times and we have to end up giving out Samsung as replacements.

          Sure am glad I am in the other 40-60%. Both my and my son's Droid Incredibles are still going strong after almost 3 years. (32 months)

          • I've had two HTC phones (one being the Nexus One) and have noticed no significant problems. I have noticed that most of the apps that came with the second one are not worth using compared to the stock Google apps (Calendar, Music, etc) but that probably goes for most brands of phones.
        • My buddy who is a sys-admin for a rather sizable company talked me out of getting a Galaxy S and getting an Evo 4G (WiMax original) instead. His experience, running IT for an organization with a really healthy blend of multiple types of handsets was that the HTC's were physically much more durable than the Samsungs.

          My personal experience doesn't include a Samsung phone, but I'm rough on stuff. I've got bent keys in my pocket because they were bent in my pocket. I work at the Johnson Space Center running

        • As someone who owns 3 Samsung devices and tires of hearing about it from HTC fanbois, thanks for that. :-)

        • No offence, but I find your figures pretty unconvincing, nobody would be able to run a business with 50% failure rates.

        • by gl4ss ( 559668 )

          it's not 99 cents, it's 99 cents as downpayment and two years of paying.

          incidentally, are services taxes different from sales tax in USA? that might actually explain some of the "free phone!" shit. though in that case tax authorities are suckers for not smacking down the hammer on operators.

          htc phones aren't particularly cheap in reality(full unsubbed pricing), even if they feel cheap.

    • You could have just said CM is the best software patch for any android device that isn't a platform reference.

      Do any of them actually support their devices? I know Samsung doesn't, either.

      • Do any of them actually support their devices? I know Samsung doesn't, either.

        HTC's phones are extra bloatware, though, which was true with Windows Mobile and is true now with Android. And then they often get sold by some carrier like T-Mobile who puts a bunch more bloatware on them. Really, you owe it to yourself to load CM on anything you can load it on.

        • Agreed. Part of the reason I got Cyanogen was I hated Sense and the bloat attached to it. On my LTE Evo Sense artificially limits the abilities of the phone for reasons I just can't comprehend. It almost makes it a non-multi-tasking device where it's awesome at multi-tasking with Cyanogen Mod.

          • by Vlado ( 817879 )

            I honestly want to know: what makes CM so much better than Sense?

            I put CM on my older Desire HTC, because it was one of the ways to extend the internal memory of that phone onto a Micro SD card. But after a while I just put a modded Sense back on it.
            I'm not saying CM is bad by any stretch. But I really couldn't see anything in particular that made it awesome...

            All I'm seeing all the time is just: CM rulezzz!!!11 But there a practically no examples of actual benefits.

    • I had Cyanogen Mod on my old phone, then bought one of the Thunderbolts mentioned in the summary. Cyanogen offers NO support for this device. There was a dev who was releasing a really nice port of Cyanogen for the Thunderbolt, but he stopped several months ago.

      It's my understanding that the main thing keeping Cyanogen from officially supporting the Thunderbolt is a lack of drivers for the phone's radio coming from HTC. HTC keeps promising us an ICS update, which wouldn't be as good as full Cyanogen support

    • The best software patch I've found for HTC products, though I have tried others.

      Not me, whenever I root a device.

      I always try to get the HTC Sense mod version of a ROM (although, it's probably not very legal).

      And I've also tried others.

      • I used Mean ROM for a while, which is a Sense ROM. That ROM's biggest claims to fame were the biggest things going against it for me. Overclocking when the screen is on - great - but let me disable that. The disable is to under-clock it was the screen on. I loved the single core under-clock with screen off thing but there was no easy way to configure this behavior. Also the web browser was supposed to be awesome for some of the customizations, I liked some but couldn't disable the others so I used Chro

    • Agreed... i love my HTC One X, and CM 10 works great on it... HTC were painfully slow at bringing out Jellybean for it, especially for my CID
    • I'm with you. I've only had one HTC device (G1/Dream), but Cyanogenmod was the best thing I could have possibly done to it. I don't know how long HTC supported the Dream, but Cyanogenmod allowed me to use it way longer than the hardware should have allowed. I've since upgraded (newer phone, another brand) and the first day I had the new phone I flashed a Cyanogenmod-based ROM. No crapware, better battery life, smoother performance, more up to date.
      • by Rich0 ( 548339 )

        I think the Dream was the only HTC device that was long-supported on Cyanogenmod. I had a G2 and they stopped porting new OSes to it after Gingerbread - that was only a year newer than the device.

        Sure, CM supports the devices longer than the vendors do (with the exception of Nexus phones), but their efforts have been diluted considerably and you don't see stable CM releases for most phones after a year. A year really isn't long enough to stop security updates for a computing device that is used heavily fo

    • by Rich0 ( 548339 )

      CM is certainly the best option there is for HTC products, but few devices get CM releases after a year. Of course the vendors should be supporting the devices in the first place, but even the CM community doesn't really keep things going for that long. Nobody is paying them, and there are a LOT of phones out there, and most of the better developers seem to buy new phones frequently and move on.

  • Perhaps... (Score:4, Insightful)

    by Mitreya ( 579078 ) <mitreya.gmail@com> on Saturday February 23, 2013 @07:42PM (#42992605)

    company failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed sensitive information about millions of consumers at risk

    It should also be illegal to install bloatware that is embedded to the point of not being removable (without at least rooting the device and perhaps voiding warranty). Nothing makes the phone more secure than facebook processes -- there are several, and a dozen other built-in crapware clients (peddling games, services, etc).

    And I don't think that buying full-priced phone changes anything, either.

    • I completely pwn my phones for exactly that reason. I considered the crapware Sprint put on my original Evo border-line criminal. It wasn't nearly as bad on Evo LTE, but they still secured crap in the "S-Off" area.

      • by Mitreya ( 579078 )

        I completely pwn my phones for exactly that reason. I considered the crapware Sprint put on my original Evo border-line criminal.

        Pray tell, have you ever needed warranty services on your phone?

        I am not opposed to having to root my phone per se, but if I lose my warranty as a result, then provider behavior is criminal. Imagine if uninstalling one of the crappy adware services provided by PC manufacturer caused you to lose PC warranty.

        • Sort of.

          I dropped my old Evo 4G (WiMax) onto a rock face first and shattered the screen. I was going to have to do a warranty replacement (no questions asked) but the guy behind the counter made me a deal. Buy $50 worth of crap in the store and he would replace my screen for free. I spent $100 on a pair of Bluetooth headphones, which is about what the claim would have cost anyways, but I got to keep the headphones.

          • by adolf ( 21054 )

            Not even "sort of."

            That's not a warranty claim, but might have been an insurance claim if you'd gone that route.

            Warranties cover defects. Insurance covers accidents. [Insert car obvious analogy here.]

            (That said: It sounds like it was a win-win deal. Counter-geek gets a sales commission and something to do with his free time at the shop, and you get the repair you were after.)

    • I briefly had a Motorola Backflip and I loved the concept of it. Unfortunately, it was underpowered to begin with and AT&T insisted upon larding it up with all sorts of things that would run and make it even slower.

      It's a shame, because the device was actually fairly nice in other respects.

    • by icebike ( 68054 )

      Nothing makes the phone more secure than facebook processes

      Say what?

      Oh, I see, humor. Swoosh!

      At least with the later versions of Android, you can go in and Disable these apps, and they won't run, won't get updates, and only take up storage.

      • Re:Perhaps... (Score:5, Interesting)

        by anagama ( 611277 ) <obamaisaneocon@nothingchanged.org> on Saturday February 23, 2013 @09:14PM (#42993049) Homepage

        Yeah -- but there are other's you can't do anything about. Dropbox or Google+ for example: only options are "force stop" and "uninstall updates". How about a flat out "uninstall".

        • You need Root Uninstaller. Takes care of those uninstallable crapware. Of course, you need root for this so either take the phone in to one of those dodgy shops or go read xda-developers forums for your device.
        • by AmiMoJo ( 196126 ) *

          On ICS you can also select "disable" which removes all their hooks into the OS like share meny entries and activity associations. I use it to disable most of the Samsung stuff on my GS3.

        • by AmiMoJo ( 196126 ) *

          Ignore my other post. What I meant to say is that I can in fact disable Dropbox and G+ on my GS3.

      • But if your stuck with an old version of android (droid x2 [android 2.3 i think]) and the company (Verizon?) has no intention of upgrading you, and you can't unless you root it. Than what? I don't even think they the cyno mod mentioned had something, but I could look again. I forget.
    • It should also be illegal to install bloatware that is embedded to the point of not being removable (without at least rooting the device and perhaps voiding warranty).

      The ICS upgrade to my HTC Thunderbolt allows me to disable any built-in app that isn't considered "critical". Surprisingly, their definition of "critical" isn't much different from mine. The only app I might want to disable that I cannot is a process that makes sure that you can't tether a device to the phone via WiFi, and I can understand the reasoning.

      But Facebook, Verizon Navigator, and all the other bloatware are disabled and will not run. Not being able to remove the apps isn't really a big deal, as

    • by adolf ( 21054 )

      without at least rooting the device and perhaps voiding warranty

      Everyone talks about "voiding the warranty."

      But has anyone ever actually had a warranty claim denied just because the phone is/was rooted and/or running different software?

      Indeed, even HTC's own warranty statement [htc.com] doesn't seem to automatically exclude coverage for devices that are simply running different software.

      (Also: Magnuson-Moss Warranty Act [wikipedia.org], etc.)

      • by KGIII ( 973947 )

        I used to have an HTC Merge. I had rooted (and unlocked, of course) the phone. I sent it in for a repair twice, to HTC itself not an insurance claim, and though the second time resulted in my getting a different phone returned to me I never once had anyone complain or deny my warranty because of this. YMMV and I have since moved away from HTC, great hardware though. I'm pretty rough on stuff.

      • Re: (Score:3, Insightful)

        by tlhIngan ( 30335 )

        Everyone talks about "voiding the warranty."

        But has anyone ever actually had a warranty claim denied just because the phone is/was rooted and/or running different software?

        Indeed, even HTC's own warranty statement doesn't seem to automatically exclude coverage for devices that are simply running different software.

        Well, the thing is, most people do NOT file warranty claims - they go back to their carrier and ask what to do. Because what happens if you have to send the phone to HTC and then wait for them to

        • by adolf ( 21054 )

          All those words.

          Have you ever sent a phone in under warranty and had a claim denied because it was rooted or was otherwise running different software?

          That is the question, but none of that text answers it.

          Thanks for nothing!

          -flodadolf

      • by Rich0 ( 548339 )

        without at least rooting the device and perhaps voiding warranty

        Everyone talks about "voiding the warranty."

        But has anyone ever actually had a warranty claim denied just because the phone is/was rooted and/or running different software?

        Well, a more useful question is whether anybody has had a court of law deny them warranty coverage on the hardware for a phone simply because they had changed the firmware.

        Anybody can deny a warranty for any reason. I can sell you a bike and give you a contract signed in blood that says I'll fix it for any reason for a year, and then you could bring it back to me, and I could say no. Now, if you took me to court the court would likely tell me to fix it, because I'm violating the law.

        The problem is that ge

    • It should also be illegal to install bloatware that is embedded to the point of not being removable (without at least rooting the device and perhaps voiding warranty).

      Yes, the FTC report also mentions Carrier IQ by name.

  • Bad summary. (Score:4, Informative)

    by msauve ( 701917 ) on Saturday February 23, 2013 @08:01PM (#42992713)
    Granted, HTC was late in delivering ICS to the Thunderbolt. But, contrary to the summary's claim and link ("upgrades they promised a few months ago but never delivered"), it was in fact delivered - a few weeks ago.
    • by gerf ( 532474 )
      And I'm still waiting on my ICS update for the Incredible 2 on Verizon. So while the Thunderbolt got ICS, some phones did not.
    • Re:Bad summary. (Score:5, Informative)

      by icebike ( 68054 ) on Saturday February 23, 2013 @08:11PM (#42992763)

      Right. Why do summary writers always try to force the story toward their pet peeve.

      Further this FTC settlement had NOTHING to do with what version of Android was installed, but rather the diagnostics and monitoring applications they had installed, mostly at the carriers request.

      Both "Carrier IQ", something demanded by carriers, till they got caught, and "Tell HTC" a bug reporting software, ended up leaving logs on the phone that contained private data in clear-text, and transmitted that data to the carriers or to HTC in un-encrypted format. It also had to do with the handling of that data once it was delivered to the carriers and more specifically to HTC.

      Why the summary writer had to make it about something else is beyond me.

      • by SeaFox ( 739806 )

        Right. Why do summary writers always try to force the story toward their pet peeve.

        Because oftentimes their personal grudge against the company is the only reason they take the time to write up a story and submit it.

      • Re:Bad summary. (Score:4, Informative)

        by anagama ( 611277 ) <obamaisaneocon@nothingchanged.org> on Saturday February 23, 2013 @10:38PM (#42993405) Homepage

        To be clear, this is what the vulnerability did:

        Let me put it another way. By using only the INTERNET permission, any app can also gain at least the following:

                ACCESS_COARSE_LOCATION Allows an application to access coarse (e.g., Cell-ID, WiFi) location
                ACCESS_FINE_LOCATION Allows an application to access fine (e.g., GPS) location
                ACCESS_LOCATION_EXTRA_COMMANDS Allows an application to access extra location provider commands
                ACCESS_WIFI_STATE Allows applications to access information about Wi-Fi networks
                BATTERY_STATS Allows an application to collect battery statistics
                DUMP Allows an application to retrieve state dump information from system services.
                GET_ACCOUNTS Allows access to the list of accounts in the Accounts Service
                GET_PACKAGE_SIZE Allows an application to find out the space used by any package.
                GET_TASKS Allows an application to get information about the currently or recently running tasks: a thumbnail representation of the tasks, what activities are running in it, etc.
                READ_LOGS Allows an application to read the low-level system log files.
                READ_SYNC_SETTINGS Allows applications to read the sync settings
                READ_SYNC_STATS Allows applications to read the sync stats

        http://www.androidpolice.com/2011/10/01/massive-security-vulnerability-in-htc-android-devices-evo-3d-4g-thunderbolt-others-exposes-phone-numbers-gps-sms-emails-addresses-much-more/ [androidpolice.com]

        Note the date of that article. (!)

      • by Anonymous Coward

        It was a binary on the handset, it has the ability to spy on everything, right down to the keystrokes. They advertised the ability to capture app usage, right down to keystokes, etc. They claimed to be only using the call quality feature of that spyware.

        Their servers send a profile to your phone, the profile says what to capture. That data is then sent to CarrierIQ's server, and data mined on behalf of their customers from that database.

        They were caught, because HTC's version left the debug flag on and all

    • So they got ICS about the time I upgraded myself to Jelly Bean.

  • by Anonymous Coward

    FTC to carriers: stop delaying updates, but FTC is too much in bed with them

  • by detain ( 687995 )
    HTC makes pretty good phones from what I've seen over the years. They aren't the top of the line devices but they aren't far behind either usually at a fraction of the cost (especially getting refurbished they get really cheap). They come with a good set of hardware and software and update the software for each new phone for a few months, but after that they tend to forget about the phone and move onto the next piece of hardware without looking back. They should spent the next few years focusing on r
    • They come with a good set of hardware and software and update the software for each new phone for a few months, but after that they tend to forget about the phone and move onto the next piece of hardware without looking back.

      I got a Raphael (Fuze) free from AT&T and boy was it garbage. Sad thing is, later versions of Sense are actually pretty good on Windows Mobile (I hear they still all suck on Android) and with EnergyROM 3.0 the phone is halfway decent. Unfortunately, Android phones got cheap before a decent Android release happened for it. You can run Android, but it's crashtactular and the kernel build service images are no longer hosted so you can't use ext3, with the end result that it's unusable.

    • They come with a good set of hardware and software and update the software for each new phone for a few months, but after that they tend to forget about the phone and move onto the next piece of hardware without looking back.

      Exactly: a short while after selling it they forget about it. I have asked their support people why they won't release new software and they just give bullshit answers. That is why I will not buy another HTC phone and warn others about them.

  • Too bad... (Score:1, Troll)

    by sdsucks ( 1161899 )

    HTC is the only company who sells Android phones that I'd consider buying. Too bad Android apparently has issues with security updates / etc. Sure, blame the vendor... But this seems to be a prevalent problem with Android based phones.

    • by tuppe666 ( 904118 ) on Saturday February 23, 2013 @09:38PM (#42993137)

      HTC is the only company who sells Android phones that I'd consider buying. Too bad Android apparently has issues with security updates / etc. Sure, blame the vendor... But this seems to be a prevalent problem with Android based phones.

      Lets have a little look at security on the iPhone...hmmm you can just fiddle with the power button and making an emergency call then immediately hang up, and it bypasses the passcode.

      Perhaps you would have been better with a HTC phone after all ;)

      • Who brought up iOS? Oh, you. And I agree completely about the iOS passcode bug - a massively severe issue.

        Still, my comment and the article are about HTC.

    • Too bad Android apparently has issues with security updates / etc. Sure, blame the vendor... But this seems to be a prevalent problem with Android based phones.

      Erm You did read the complain right? Silly me of course not. The problem being complained about is massive security flaws in 2 HTC apps as well as HTC's botched implementation of the Android security model which allows applications to bypass any permission checking. These are NOT Android security flaws. They are entirely HTC flaws, they lie entirely at the feet of the vendor, and it is entirely the vendor's fault that they haven't been fixed more than 14 months after they were discovered and reported.

      And th

    • by AmiMoJo ( 196126 ) *

      Not really. Samsung are pretty good with updates, especially security related ones. If you absolutely must have the very latest version there are a number of Nexus models to choose from.

      HTC has always been shit with updates on every platform. It's their hallmark. The only people who are worse are the carriers.

    • Slashdot: Where a troll no longer means troll, just that you criticized Google.

  • So will the FTC now force all vendors to promptly offer security patches for their devices for at least 3 years after the last one was ever sold? I don't think it's fair if they only take on HTC, they should do this to all vendors, regardless of what OS or number of devices sold.
  • I liked my HTC One S until the latest update (Sense 4+).

    For some reason they've seen fit to cripple the camera application so that the lowest resolution is 2048x1536. Lowest. So much for taking quick snaps to email to people. Nope, got to upload them now to edit later or get an app to resize them first.

    Otherwise it's a great phone. The X was a bit too bulky for my taste, and I prefer the sense homescreen navigation to the - what I assume is stock Android - way my Nexus 7 does it. Battery lasts at least

  • which both have more viruses than apps.

    If the crazy hippie computer company from Northern California can make virus-free systems for 35 years, what is the excuse from all these “serious” computer and phone makers? Even Mac OS 9 had a system called Software Update that patched half the community within a month and the rest within 3 months.

You are always doing something marginal when the boss drops by your desk.

Working...