Privacy on your mobile phone is kind of a big deal. And a company named Carrier IQ made it an even bigger one about a year ago by getting all up in a bunch of people's business. If you don't remember the Carrier IQ debacle of last winter, let me give you a rundown.
First, a guy named TrevE figured out that a company called Carrier IQ had its software installed on a bunch of phones, and that it was taking a lot of data from those phones. Like, scary amounts. And all that data went back to Carrier IQ, who then passed on some of it to the carriers. Read More
Trevor Eckhart, a developer involved in uncovering a huge security vulnerability that affected several HTC devices, was recently threatened by Carrier IQ (CIQ), a company involved in gathering various forms of user data and sending it to carriers or manufacturers for analysis. For those who haven't been following the story, here's what happened:
Trevor Eckhart found several training manuals on CIQ's website. These were publicly available. Trevor shared them with the community, explaining just how far-reaching CIQ's data collection practices are. At this point, CIQ became aware of the fact that sensitive information had been exposed, and pulled the files from their website. Read More
Originally Posted October 12th.
It's been eleven days since Android Police published this story detailing the discovery by Trevor Eckhart of some serious security issues within HTC's more recent software. Three days after that HTC responded, and now, a further week or so later, we are seeing reports of an "important security update" being pushed to HTC Sensations throughout Europe.
Screencap by FG1234 of Android-Hilfe.de
While HTC does not specify exactly what the ~9 MB update addresses, the timing seems right to relate to the preceding story. Besides alluding to some positive-sounding "performance improvements and new features", the update description does not mention any further details, and HTC certainly doesn't dwell on the nature of the security update itself. Read More
HTC acknowledged the vulnerability in some of its devices that Android Police together with Trevor Eckhart posted Saturday night. The privilege escalation vulnerability currently allows a potentially malicious app that uses only the INTERNET permission to connect to HTC's HtcLoggers service and get access to data far exceeding its access rights. This data includes call history, the list of user accounts, including email addresses, SMS data, system logs, GPS data, and more.
HTC added that a software fix is already in the works and will be pushed to affected devices following a brief testing period (hopefully carriers won't end up delaying the OTA roll-out too much due to additional testing and bureaucracies). Read More
I am quite speechless right now. Justin Case and I have spent all day together with Trevor Eckhart (you may remember him as TrevE of DamageControl and Virus ROMs) looking into Trev's findings deep inside HTC's latest software installed on such phones as EVO 3D, EVO 4G, Thunderbolt, and others.
These results are not pretty. In fact, they expose such ridiculously frivolous doings, which HTC has no one else to blame but itself, that the data-leaking Skype vulnerability Justin found earlier this year pales in comparison. Without further ado, let me break things down.
damageless and TrevE, the developers behind the DamageControl ROM which brings Android 2.1 to Sprint HTC Hero CDMA, have been silently working on a new version of the ROM for the last few weeks.
Yesterday night, the world saw the newly updated ROM v2.08 finally go live with the following changelog:
- New DConfig tweaker tool
- Theme Server
- New beefed up apps2sd. If any errors are encountered post /data/dcboot.log
- Scheduler tweaks
- Working Friendsync
- Gallery3d fully working
- Newer XDA keyboard
- Fixed sprint NFL
- Optimized Even more/Cleaned up directories
- Connection tweaks
- Fixed Facebook sync
- Ring delay fixes
- More dalvik tweaks
- Potential audio fix & battery life fix
**First boot will take awhile if upgrading.