15
Oct
image

Originally Posted October 12th.

It's been eleven days since Android Police published this story detailing the discovery by Trevor Eckhart of some serious security issues within HTC's more recent software. Three days after that HTC responded, and now, a further week or so later, we are seeing reports of an "important security update" being pushed to HTC Sensations throughout Europe.

image

Screencap by FG1234 of Android-Hilfe.de

While HTC does not specify exactly what the ~9 MB update addresses, the timing seems right to relate to the preceding story. Besides alluding to some positive-sounding "performance improvements and new features", the update description does not mention any further details, and HTC certainly doesn't dwell on the nature of the security update itself.

The OTA version is 1.45.401.3, and may be polled for by prompting your system to check for an update in the phone settings. A full release log has yet to be found, so we can only presume that it deals with the vulnerability previously reported.

 

Update Oct. 15th: TrevE has done some digging in the subsequent EVO 3D update (GSM model - no sign of it on Sprint yet), and has extracted the "security update" routine. As you can see in the code below, it essentially deletes the contentious logging files once and for all.
ui_print("Deleting specific files...");
delete_recursive("/data/data/com.htc.loggers/",
                 "/sdcard/htclog/");
....
   "/system/app/HtcLoggers.apk", "/system/app/HtcLoggers.odex",
       "/system/app/NetLogger.apk", "/system/app/NetLogger.odex",
       "/system/app/QXDM2SD.apk", "/system/app/QXDM2SD.odex",
       "/system/bin/androidvncserver", "/system/bin/usbnet",
       "/system/lib/libhtc_loggers.so", "/system/lib/libhtc_netlogger.so",
       "/system/lib/libhtcqxdm2sd.so",

Source: XDA-Developers, Android-Hilfe.de

Brian O'Toole
Having learnt his writing techniques reading e-Books of Sherlock Holmes, Brian now spends his time /kicking, lurking, SSHing and encoding.
  • http://denh.am DrMacinyashsa

    Why not just get the ZIP and see what it changes?

    • http://www.AndroidPolice.com Artem Russakovskii

      There you have it - it's indeed fixing HtcLoggers.

  • http://none SE

    What if I've rooted my phone since the security issue arose and deleted HtcLoggers? Should I still install this update ?
    Thanks

    • Jaz

      No need. Most custom roms come with it uninstalled and if you deleted them already then your good. In this situation it pays to be rooted. I can't wait till they have easy root for the latest ota 1.50 update.

  • http://none SE

    Ok although I have the stock ROM still. I performed S-OFF of my phone then ROOT. I'm just concerned that this update/fix will cause problems so maybe I should just ignore it.

    • blunden

      If you have actual radio S-OFF then you should be fine no matter what they do. The radio security bit in protected radio storage on your phone will have been changed and it shouldn't even be possible to change that via a simple OTA. Usually that requires a special device connected to the sim-port, either an official one or something like an XTC Clip. Some device exploits unlocked writing to any region of the emmc though.

      If you have a hboot that has been modified to ignore the actual radio security flag though, they could remove that with a simple hboot update.

  • billie

    when will be the update for Asian region? been waiting for this for quite so long..

Quantcast