"Massive security vulnerability" found in HTC Android phones

HTC smartphones running Android are vulnerable to a security flaw that gives apps access to a significant amount of the user's personal data including contacts, texts, email addresses and location data.

According to Android Police, the vulnerability applies to many of HTC's most popular phones - including the Evo 4G, Evo 3D and Thunderbolt, with the site's users also reporting the Evo Shift 4G, MyTouch 4G Slide, the upcoming Vigor and some Sensations devices are exposed - and stems from a software update released by the manufacturer itself.

The update added a suite of logging tools that inadvertenly gives apps that request permission to connect to the internet access to personal data including a list of user accounts, last known network and GPS locations, phone numbers, SMS data and system logs.

The security hole also gives access to extensive information on the phone itself, including build number, network, memory and CPU information, running processes, installed apps, system properties and more. Android Police notes that it is theoretically possible to clone a device using only a small part of the exposed information.

In other words, a game that requests permission to access the internet - for example, to submit scores to an online leaderboard - is technically capable of gleaning huge amounts of information about your HTC phone and your usage of it. Currently the only way to plug the hole is by rooting your device, or waiting for an update from HTC, which says it is investigating.

"HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible," a spokesperson told VentureBeat. "We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken."

Source: Android Police