Last Updated: October 5th, 2011

HTC acknowledged the vulnerability in some of its devices that Android Police together with Trevor Eckhart posted Saturday night. The privilege escalation vulnerability currently allows a potentially malicious app that uses only the INTERNET permission to connect to HTC's HtcLoggers service and get access to data far exceeding its access rights. This data includes call history, the list of user accounts, including email addresses, SMS data, system logs, GPS data, and more.

HTC added that a software fix is already in the works and will be pushed to affected devices following a brief testing period (hopefully carriers won't end up delaying the OTA roll-out too much due to additional testing and bureaucracies).

HTC's full public statement follows:

HTC takes claims related to the security of our products very seriously. In our ongoing investigation into this recent claim, we have concluded that while this HTC software itself does no harm to customers' data, there is a vulnerability that could potentially be exploited by a malicious third-party application. A third party malware app exploiting this or any other vulnerability would potentially be acting in violation of civil and criminal laws. So far, we have not learned of any customers being affected in this way and would like to prevent it by making sure all customers are aware of this potential vulnerability.

HTC is working very diligently to quickly release a security update that will resolve the issue on affected devices. Following a short testing period by our carrier partners, the patch will be sent over-the-air to customers, who will be notified to download and install it. We urge all users to install the update promptly. During this time, as always, we strongly urge customers to use caution when downloading, using, installing and updating applications from untrusted sources.

While I applaud HTC's desire to fix the situation quickly, I do have to wonder whether the patch will simply apply some sort of an authentication scheme to the service while letting it continue to collect the same kind of sensitive data to be potentially reported back to HTC or carriers.

Furthermore, I'd like a clarification on what the Android VNC server, which could allow remote access, is doing on affected devices.

Finally, I would like to know what HTC is planning on doing with the other services listed below found on the same devices. These services could be insecure in some ways, and we're currently looking into them in more depth.


Artem Russakovskii
Artem is a die-hard Android fan, passionate tech blogger, obsessive-compulsive editor, bug hunting programmer, and the founder of Android Police.
Most of the time, you will find Artem either hacking away at code or thinking of the next 15 blog posts.

  • http://trsohmers.com trsohmers

    As far as I could tell, the VNC server isn't active on devices... but as far as I can tell, HTC is distributing this project (http://code.google.com/p/android-vnc-server/) which is under the GPL... and under section 3 under the Terms of the GPL (http://www.gnu.org/licenses/old-licenses/gpl-2.0.html), they HAVE to provide source code with it, or accessible to anyone requesting it. If they have modified it, they would have to provide source and list any changes made, and when they were made.

  • Ray

    In my email support request to HTC I was explicit about the fact that this vulnerability left me with no trust that a patch that did not include the removal of collection methods used up to now altogether would be sufficient. I must say that this has not changed for me. It appears that they do not have the needed understanding that without the trust of discerning individuals they can make all the feature packed hardware they desire. They will hit a wall in terms of sales and marketing. I am not likely to upgrade my phone in advance of July 2012, so I suppose they have until then to prove that they not only INTEND to lock down vulnerabilities created by their attempts to improve their hardware, but they can actually SUCCEED in doing so. The apparently sloppy method used to store data, that I fundamentally question the need for in totem anyway, shows they do not take security as seriously as they would have us think. The mention in their own statement suggests that the 3rd party use of this knowledge can be curbed with the idol threat of legal ramifications, shows they are either desperate, or naive. Are hackers known for being concerned with legal ramifications? Silly, in my opinion.

  • http://k0nane.info k0nane

    "does no harm to customers' data" That may be. But if they so much as /imply/ that it does no harm to customers' privacy? That, would be an out-and-out lie.

    • Chris

      @ k0nane

      Get used to it. You know better than anyone else about software like Sprint Carrier IQ.

      I have no doubt that carriers and manufacturers will put other tracking devices into our phones.

      I think that the for every phone that is released, what needs to happen these days is a community built AOSP version with all of the excess bloat removed and built from ground up. It's the only way to be sure. Sadly, most phones don't have the development communities to support this.

  • Tee

    ...and why is it there in the first place?!?

  • irishgreen

    My man treve is a beast! Putting HTC in their place ..u can't hide stuff from our genius android developers !! HTC is my choice in phones but they have to take this seriously and fix ALL issues. Give treve a job ..hell do it for ya..or better yet give us a synergy HTC rom stock phone from virus and treve :)

  • JBO

    I believe HTC will get their patch out quick. Unfortunately the carriers will take their sweet time screwing up the build containing the patch. Not to mention they likely will cause new security vulnerabilities while they are at it.

  • paceaux

    Screw waiting for HTC to put out a fix. The issue has been published. Conniving folks will try to develop apps to take advantage -while non-tech-savvy folks will be taken advantage of.

    I just deleted the App and didn't think anything more of it.

  • MKChris

    Hey Android Police, you got a name-check in our (asi in the UK) best quality newspaper (in my opinion anyway):

  • http://www.ronanboylan.com Ronan

    I presume HTC devices running Cyanogenmod aren't affected?

    • Paul

      Only HTC phones with SenseUI. So Cyanogenmod does not fall into that category, no SenseUI.

  • Paul

    lol, what a mess. I read AndroidPolice's article initially, that was the 1st i was exposed to the flaw. I also clearly remember all the mention of TrevE and that AP had worked with him for a day. It seemed that TrevE gave HTC 5 business days to respond, they didn't, so he wanted to make it public, and AP helped with that. I also later read the BBC article and I thought it was funny they only mentioned AP and only really gave AP credit, not really AP's fault for what another site posts. If they had actually read the article themselves they would have seen TrevE's mention. And then XDADevelopers reads the BBC article and blasts AP? In addition people come to AP's site and comment about how AP doesn't give credit? Did any of you read the original article?? Dumb. AP isn't at fault, BBC is mostly, and regardless, it's gotten the attention of HTC, which is what AP was originally helping with in the first place [lighting a fire under HTC]), and HTC is patching it. So all's well and everyone needs to relax. All I know is, a few days ago I didn't know about this flaw, AP posts it, AndroidAndMe reposts it, BBC reposts it, and now HTC is promising a patch quickly. Seems like mission accomplished. Good job AP.

    • S

      And a week later, still nothing.

  • S

    This crap made me reluctantly (warranty) root my phone. Glad I did though and won't look back but HTC really need to get themselves into gear. This is dragging on now and is becoming very embarrassing for them.

  • Gomez Phiri

    Hello people, the htc security update has been released. I have downloded and installed on my HTC Evo 3D.

  • sheps

    Can anyone tell me what software version I should have on my Flyer if I have had the update please? My device is new, and as far as I'm aware I haven't had an update, but perhaps I didn't need one?

  • sheps

    Thanks Artem. I'm in the UK so it's a little different here I think... Sprint offers the 4G & WiFi version there in the US and there is also a WiFi only version; is that the way things are?

    I have a 3G & WiFi version of the flyer here in the UK, and my software version is currently above that, so I'm not certain what to think, but I don't think I'll worry about it :)

    Thank you for replying.

  • Don

    I just got my update from Sprint...tonight.