Oh dear, it would appear that a pretty big security hole has been discovered in a selection of Android running HTC smartphones, which could potentially put your personal data at risk.
The vulnerability was discovered and detailed in a recent report by Trevor Eckhart and the folk over at Android Police.
The reports suggests that the security hole may exist in certain HTC devices that have recently updated to the latest version of the Sense UI, which can allow apps with Internet permissions to access your private data like text messages and also location information.
Apparently, in the latest HTC update, HTC introduced a suite of logging tools that collected various information about the device – unfortunately though, Trevor has found that these logging tools are not as secure as they should be, therefore he has been able to retrieve various data such as:
- the list of user accounts, including email addresses and sync status for each
- last known network and GPS locations and a limited previous history of locations
- phone numbers from the phone log
- SMS data, including phone numbers and encoded text
- system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info
All this information was able to be retrieved using the very common ‘android.permission.INTERNET’ permission that almost all apps request when you download them from the market. Now, don’t panic, this permission is mainly used to allow you to submit highscores online when playing games, or perhaps displaying ads at the bottom of the app; however though, using this recently discovered vulnerability, it’s possible that developers with malicious intent could potentially create an app solely for exploiting this security hole.
Some of the devices already reported to have this flaw include the HTC EVO 4G, EVO 3D, Thunderbolt, Evo Shift 4G, MyTouch 4G Slide and possibly some models of the HTC Sensation.
HTC hasn’t released any statement regarding the recent alleged vulnerabilities, although if they do you can be assured we’ll let you know. In the meantime, if you want to check out this security hole in more detail, you can get more information from the Android Police site.