backtop


Print 22 comment(s) - last by Aloonatic.. on Oct 4 at 12:35 PM


HTC Thunderbolt
Android Police uncovers some of HTC's dirty laundry

It's no secret that Android smartphones are starting to take over the market, as they are available from a number of different manufacturers, come in a number of different form factors, and can be had at multiple price points (ranging from high-value to high-dollar). When its comes to the most popular Android smartphones around, companies like Samsung, Motorola, and HTC often spring to mind.
 
Today, however, those using some of the latest HTC smartphones may be in for a rude awakening thanks to a massive security breach discovered by the folks at Android Police. According to Artem Russakovskii, devices like the EVO 3D, EVO 4G, and Thunderbolt (among others) can fully reveal private user information if any app requests android.permission.INTERNET.
 
Any app that calls out for the INTERNET permission has access to the following, reports Russakovskii:
  • the list of user accounts, including email addresses and sync status for each
  • last known network and GPS locations and a limited previous history of locations
  • phone numbers from the phone log
  • SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely)
  • system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info
All of the information is stored thanks to new logging tools that HTC has introduced on its newer smartphones.
 
Russakovskii goes on to add, "I'd like to reiterate that the only reason the data is leaking left and right is because HTC set their snooping environment up this way. It's like leaving your keys under the mat and expecting nobody who finds them to unlock the door."
 
Android Police provides a full "proof of concept" app which you can download, along with a video of it in action which you can view below.
 

Updated 10/2/2011 @ 8:46pm EST
Engadget has posted the following response from HTC:
 
HTC takes our customers' security very seriously, and we are working to investigate this claim as quickly as possible. We will provide an update as soon as we're able to determine the accuracy of the claim and what steps, if any, need to be taken.

Sources: Android Police, Gizmodo, Engadget



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Does this affect...
By Aloonatic on 10/3/2011 2:30:03 AM , Rating: 2
...people like me and my wife who's 18 month old Android phones are still stuck on 2.2? I assume that there are a long list of other exploits that we are vulnerable to.

Android/Google really need to sort out their updates. I'm already annoyed that it takes forever, if ever, for updates to appear on phones that aren't brand new, just from a stability and feature point of view. Now that more and more people have them and more and more vulnerabilities and exploits are surfacing, Google/Android, need to accept that they are the MS/Windows of the market and as such need to do much more up update and make secure their OS, as MS do.

I know that no OS will ever be totally secure, but it seems that Google don't really seem to care, or have thought about this at all and don't really seem to have a plan to address it.

The first thing they need to do, however, is make updating phones to the latest and most secure firmware something that users can get as standard, rather than it begin something that carriers can use as a marketing tool to encourage people to buy a new phone, to the extent that they don't even bother to provide firmware updates to phones bought as soon as they are released, on the shortest contract possible within the term of the contract.




RE: Does this affect...
By TakinYourPoints on 10/3/2011 2:48:43 AM , Rating: 2
Just last week, someone on another forum I go to was discussing why iOS is used at his company and why Android isn't after being asked why they deploy iPads and none of the other tablets. The same issues clearly extend to smartphones as well.

quote:
...we have to follow industry regulations and institutional policies around encryption of data at rest and mobile device management. Android is basically useless in a business setting because there has been almost no consideration given to most of these issues.

The fragmented nature of the Android device market means there's no central solution for it, either.

Even if the software met the requirements for securing a device, we would still have to narrow it down to one or two devices, because we can't certify or support the entire gamut. Thus, we use iPads.

The iPad is not used in enterprise because it's established, it's used because of the 39 or so ActiveSync security policies that can be applied to an ActiveSync compliant device, only iOS devices support them. Android supports around 7, and is essentially entirely useless for anything other than a casual device. It simply isn't possible right now to have a "secure" Android device, or even pretend you have one.

In addition, narrowing it down to one or two tablets is a LOT harder than you think. We were prepared to support the Galaxy Tab for a separate entity we have to support, but the lawsuits from Apple made us change our minds. Bottom line is no company except Apple has a real investment in the success of a tablet and its ecosystem. Google doesn't even come close for the reasons you mentioned.

Now if Google were to get into the tablet business, I think it'd be a total failure. They can't deliver a product that can last, because whatever they make will be immediately aped by another company looking to explore the market without making a substantial investment in it.

I hope none of my comments come across as discouraging competition, because that's not how I feel. I love competition and innovation in the sector, but the fact is after every other competitor shows their stuff off, the long-term stability and short-term supportability and security of iPads vastly outstrips other devices.


RE: Does this affect...
By robinthakur on 10/3/2011 9:31:30 AM , Rating: 2
I agree with much of this, and it mirrors the reality at our company where the IT policy has been changed recently to allow iPhones and iPads to be supported in house. The updates issue is a deal breaker on phones apart from possibly the Nexus S (right now) because having to wait on manufacturers to update the phones seems really stupid compared to Apple devices being able to update instantly as soon as the update is out.

Having said that if you wanted the fuller Activesync experience on Android devices, google and/or their first party hardware manufacturers would need to pay MS even more money per handset in licensing, as Apple currently do.

In terms of supportability, iPads and iPhones have come a really long way (as they needed to) and I still can't quite beleive I'm saying that both are really good business devices now.


RE: Does this affect...
By mcnabney on 10/3/2011 9:57:53 AM , Rating: 2
What OS is your original iPhone or iPhone3 on? Plenty of products get 'left behind' from iOS version updates. Just because the iSheep dutifully line-up every summer to get a new one doesn't mean the same things aren't occuring on the Apple side of the smartphone marketplace.


RE: Does this affect...
By Brandon Hill (blog) on 10/3/2011 10:29:39 AM , Rating: 2
Too be fair, the original iPhone is 4 years old. The iPhone 3G is three years old.

The 3-year old iPhone 3G currently has access to iOS 4 (the current release).
The iPhone 3GS (2 years old) and iPhone 4 (1 year old) will both be upgradeable to iOS 5 (coming this month).


RE: Does this affect...
By Aloonatic on 10/4/2011 12:35:47 PM , Rating: 2
The point is, Android phones are being left behind whilst they are still in contract. iPhone on the other hand.. If you have one that has been "left behind" that is probably because you've bought it second hand or refurbished.

This it particularly bad, IMHO, as these android updates (or lack there of) do actual impact on how usable phones are (jerky scrolling menus alone are really annoying for example) let alone the security issues.

To say that 4 year old iPhones are suffering the same problem is just silly. And to be fair to Apple, they let you install iOS updates on old hardware if you want to, it might just break it however as they have moved on.

With Android phones on the other hand, your "left behind" with a phone that has never worked right really, is only a year or so old and could easily still have 12 months or so left on the contract too.


RE: Does this affect...
By Omega215D on 10/3/2011 8:04:57 AM , Rating: 2
You fail to realize that each manufacturer has different configurations, different skins and that it costs them more to write/ update software compared to releasing a new product.

Google's Nexus phones have been pretty good with updates but that's Google's vanilla Android phone.

Also, the affects HTC and from the looks of it most of it are 4G phones.


RE: Does this affect...
By Aloonatic on 10/4/2011 12:30:00 PM , Rating: 2
You fail to realise that that is exactly what I am saying that Google should move away from.

At the moment, the firmware update chain is too long.

Google > Manufacturer > Carrier > End User's Phone.

(With regional variations too, no doubt)

At any stage between Google and the End User someone can slow your update down, or block it completely.

Is this how Apple do it? Do they let every carrier tinker with iOS and decide where different models (assuming they are capable of running it) will even get an update at all?

I was saddened to see that MS allow carriers to tinker with their OS, but at least there is only 1 standard interface, rather than having HTC sense, Moto Blur, Samsung whatever...

Ms > Carrier > End User.

Ideally, it should simply be.

Google/MS > End user.

There are too many vested interests in between at the moment, although some might argue that that is what makes Android phones more afordable than iPhones.

In fact.. Ideally, I should be able to buy any phone and install any OS on it I want to buy (as there's no real reason why that shouldn't be relatively simple to get working work) but that's not going to happen.


RE: Does this affect...
By robinthakur on 10/3/2011 9:36:50 AM , Rating: 2
Agree, I think it is shameful that manufacturers use firmware updates to tempt customers to upgrade rather than supporting a phone throughout its lifecycle as certain other companies have done since 2007...


I watched the Video
By dark matter on 10/2/2011 4:14:32 PM , Rating: 3
And HTC,

You have a LOT to answer for.




RE: I watched the Video
By Omega215D on 10/2/2011 5:19:28 PM , Rating: 2
They pulled the Gingerbread update for the Thunderbolt due to bug issues, it took a long time to get gingerbread, various other bugs shipped with the phone and now this. Really HTC?

The Thunderbolt was supposed to be a flagship LTE phone but they made it take a back seat. The more I hear the more I get frustrated with HTC... of course I have a Thunderbolt that hasn't suffered from any of the issues mentioned and is running OTA Gingerbread. This new bit of news however is making me think twice about buying anything from HTC.


RE: I watched the Video
By theapparition on 10/2/2011 7:37:35 PM , Rating: 1
Don't think the Thunderbolt was ever intended as a flagship device. It never even got the Droid moniker.

It was the first LTE device on Verizon, but they are already trying to dump inventory. The only thing that really pisses me off about HTC is that they can't deliver a phone with any sort of battery life. They are truely pathtic.

Now this.


RE: I watched the Video
By sprockkets on 10/2/2011 8:04:04 PM , Rating: 2
Only phones from HTC that have battery issues are ones with 4G tech in them, aka the evo and thunderbolt.


RE: I watched the Video
By Omega215D on 10/2/2011 8:39:04 PM , Rating: 3
Actually I've gotten pretty good battery life from my Thunderbolt. It was a bit better than my Droid 1. After moving to official Gingerbread my battery life increased substantially.

My phone never experienced any of the reported problems. With this one I will be waiting to see how long it'll take HTC to come around fixing them.

The Thunderbolt also is unique in the fact that it does simultaneous voice and data in 3G mode as well (SVDO) and uses a different modem than other HTC phones.


RE: I watched the Video
By theapparition on 10/3/2011 12:48:55 AM , Rating: 2
Suggest you look at other phones, like the Droid Incredible, where standard fare is to buy an extended battery.


RE: I watched the Video
By FITCamaro on 10/2/11, Rating: 0
Costly
By Smilin on 10/2/2011 9:34:52 PM , Rating: 5
This is going to cost Microsoft a lot of Android sales.




RE: Costly
By Brandon Hill (blog) on 10/2/2011 9:51:58 PM , Rating: 2
LOL :)


RE: Costly
By Samus on 10/3/2011 1:49:23 AM , Rating: 2
Seriously, this makes Cupcake look secure.


RE: Costly
By Omega215D on 10/3/2011 7:59:01 AM , Rating: 2
It appears that this is not an Android problem but more of an HTC issue with the .apk


By Angstromm on 10/2/2011 10:12:59 PM , Rating: 3
Here's a link to the original post: http://www.androidpolice.com/2011/10/01/massive-se...

And here's a list of the affected phones:

Affected Phones


Note : Only stock Sense firmware is affected - if you're running an AOSP-based ROM like CyanogenMod, you are safe.

* EVO 4G
* EVO 3D
* Thunderbolt
* EVO Shift 4G? (thanks, pm)
* MyTouch 4G Slide? (thanks, Michael)
* the upcoming Vigor? (thanks, bjn714)
* some Sensations? (thanks, Nick)
* most likely others - we haven't verified them
yet, but you can help us by downloading the
proof of concept above and running the APK




first
By senbassador on 10/2/2011 4:49:00 PM , Rating: 2
first they (along with Sprint) bet on the wrong 4g technology and now this. As cool as their 3d Evo was supposed to be, I don't think I will be going with another HTC product in the near future. Unless they can prove me wrong and do something amazing, redeeming themselves.




"A politician stumbles over himself... Then they pick it out. They edit it. He runs the clip, and then he makes a funny face, and the whole audience has a Pavlovian response." -- Joe Scarborough on John Stewart over Jim Cramer














botimage
Copyright 2015 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki