Security Vulnerabilities On HTC Android Devices

revjtanton writes "In recent updates to some of its devices, HTC introduced a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users' devices, easier remote analysis, or corporate evilness — it doesn't matter." That's because "any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads)" on one of these phones can now grab all sorts of interesting bits from the logged data.

Fix

[Adam+Zweimiller]

If you are rooted, you can use Titanium Backup to uninstall HTC Loggers or you can manually delete HTCLoggers.apk from /system/app/.

Re:Fix

[fuzzyfuzzyfungus]

Arguably there is a problem with "the permissions"; but not in a narrowly technical sense(well, strictly speaking, it might be nice if Android broke network permissions down a little further, so that you could allow an application to access internet resources; but forbid it from connecting to anything on localhost, or allow something to connect to one or more ports on localhost; but not the outside...)

A major vendor is shipping a 'diagnostic' application so fucked that it might as well be a rootkit on a large-but-not-precisely-known number of devices expected to be connected to the internet and in possession of relatively juicy information for most of their operational lives, and nobody in the chain decided that this was maybe a bad idea until 3rd parties discovered it and wrote it up...

This suggests that HTC's "Sense" team might not have any.

Cyanogen Mod

Even more reason to root and flash with CyanogenMod or other custom firmware of your choice.

Re:Cyanogen Mod

[izomiac]

Amusingly enough, the core CyanogenMod developers have made it abundantly clear that they vastly prioritize the ability of vendors to spy on users over the user's right to control who has access to personally identifiable data.

(Sorry for using biased language, but I think that denying a user control over hardware they own, especially by an open source project, is just asinine.)

Re:Why even bother specifying INTERNET perms?

[goose-incarnated]

All users will happily allow something like "Angry Birds" to have internet access, even though it is obvious that it doesn't need it.

[snipped]

The few people who don't like those ads go to the Amazon Appstore for Android and get the pay version of Angry Birds - no more ads.

You just made my own point for me - the paid version of Angry Birds on the amazon app store needs internet access (I just checked!).

Why? It clearly isn't for ads, perhaps its for DLC???

Re:Why even bother specifying INTERNET perms?

[ScrewMaster]

I want a way to easily change the permissions granted to an application, without the application's knowledge. If I decide that an application has no business making or receiving a text message, I should be able to disable that capability, all without the application being aware that it's attempt to send a text message failed.

Cyanogenmod can do this if you enable some of the advanced features. Once the app is installed you can go in where you view the permissions it needs and toggle some of them off. Badly designed apps may crash, but most stuff I've done it to has happily continued running.

True. And if you're still concerned, run Droidwall. I do ... if an app has no need for Internet it goes in the blacklist. If it then fails to run because of some stupid license check, or just the dev being a dick and insisting that his app get out whenever it wants, it gets uninstalled.