Security Vulnerabilities On HTC Android Devices

revjtanton writes "In recent updates to some of its devices, HTC introduced a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users' devices, easier remote analysis, or corporate evilness — it doesn't matter." That's because "any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads)" on one of these phones can now grab all sorts of interesting bits from the logged data.

I'm keeping my Windows Mobile 6.5 Device...

No one wants to track us!!

Re:I'm keeping my Windows Mobile 6.5 Device...

but that the modern phone OSs are too cloud based

I stopped reading right there. Now go home and ask your daddy how operating systems work.

Re:I'm keeping my Windows Mobile 6.5 Device...

[gmhowell]

Ah, dueling ACs. Can you hear the tuba?

FTFY

Re:Bah, move along

[Kenja]

Not the point. The point is that a third party app can grad the data and send it off to an unknown location without asking permission first. However, that assumes you have an untrusted app installed with the internet permission flag set to true.

Fix

[Adam+Zweimiller]

If you are rooted, you can use Titanium Backup to uninstall HTC Loggers or you can manually delete HTCLoggers.apk from /system/app/.

Re:Fix

[Rich0]

There is no problem with "the permissions."

There is an app that runs as root (which means it effectively has all permissions), and it publishes all kinds of data on a TCP port. Anything that can connect to it can just ask for whatever data it wants.

The fix it to get rid of that app, or at least make it not expose that data on that port (which requires editing the app source, and which seems pointless since the only purpose of the app seems to be to bypass the normal permissions model).

Apps that run as root can do whatever they want to - don't like it, don't run the app. That's why generally speaking you shouldn't run random apps as root.

Re:Fix

[stephanruby]

One silver lining at least is that

HTC is one of the very few hardware manufacturers that does provide official instructions for rooting your own device.

Re:Fix

[fuzzyfuzzyfungus]

Arguably there is a problem with "the permissions"; but not in a narrowly technical sense(well, strictly speaking, it might be nice if Android broke network permissions down a little further, so that you could allow an application to access internet resources; but forbid it from connecting to anything on localhost, or allow something to connect to one or more ports on localhost; but not the outside...)

A major vendor is shipping a 'diagnostic' application so fucked that it might as well be a rootkit on a large-but-not-precisely-known number of devices expected to be connected to the internet and in possession of relatively juicy information for most of their operational lives, and nobody in the chain decided that this was maybe a bad idea until 3rd parties discovered it and wrote it up...

This suggests that HTC's "Sense" team might not have any.

Re:Fix

[Adam+Zweimiller]

Unlocking bootloader != Rooting!

Re:Fix

[Doc+Ruby]

I have Terminal Emulator. I cd to /system/app , and ls tells me there's no HTCLoggers.apk . Is it hidden somehow? I think the phone is up to date with all offered updates. Is there any way to test whether this little bugger is actually installed on my phone?

Re:Fix

[Adam+Zweimiller]

Rooting is trivial even with a locked bootloader. It's custom ROMs that are difficult with the locked bootloader.

Re:Fix

[msauve]

It's HtcLoggers.apk, at least on my phone (or was :-) ). Case matters.

Re:Fix

[Rich0]

Well, clearly this is a major security issue and should be fixed ASAP - not that I'm holding my breath.

It would be like a linux distro spawning a root bash listening on some random TCP port. There isn't anything wrong with the linux security model per se - it just doesn't prevent the people configuring the distro from shootting themselves (or more importantly their users) in the foot...

Re:Fix

[ScrewMaster]

If you are rooted, you can use Titanium Backup to uninstall HTC Loggers or you can manually delete HTCLoggers.apk from /system/app/.

If you are rooted you can just install Cyanogenmod and forget about it.

Re:Bah, move along

[St.Creed]

Untrusted apps? You mean I can't trust my cute little Bonzi Buddie? Shame on you, you nasty paranoid person! :)

Cyanogen Mod

Even more reason to root and flash with CyanogenMod or other custom firmware of your choice.

Re:Cyanogen Mod

[Richard_at_work]

Problem is, you lose HTC Sense, which is one of the best UIs for Android.

Re:Cyanogen Mod

[binarylarry]

I recently installed cyanogenmod on my HTC Sensation... specifically to get rid of the Sense UI.

Re:Cyanogen Mod

[izomiac]

Amusingly enough, the core CyanogenMod developers have made it abundantly clear that they vastly prioritize the ability of vendors to spy on users over the user's right to control who has access to personally identifiable data.

(Sorry for using biased language, but I think that denying a user control over hardware they own, especially by an open source project, is just asinine.)

Re:Cyanogen Mod

[Doc+Ruby]

What else do you lose if you root an HTC (Evo Shift 4G) and replace with CyanogenMod or some other comprehensive Android OS?

Re:Cyanogen Mod

Thanks for pointing me to this one, I *was* on the verge of buying a new phone, and the Android beasties looked tempting especially after a bit of rooting, but hey, I've been happy with 'dumb' phones up till now, I think I'll stick with them..

I have to ask the question that the developer of the patch sort-of asked, wtf is Android doing exposing the device IMEI number, SIM serial numbers and files, contents of Contacts lists and SMS message stores, etc to any sort of app for in the first instance? (well, he must have asked himself that, otherwise he'd never have come up with the patches..) From my limited understanding of the current situation, 'oh hai, I'm the cute game app you just installed, I wants permiisions to access your filez and internets so I can high score table (and nom nom nom all your personal data I can gets...)

Someone in the discussion pointed to brought up the red herring about legality of IMEI spoofing, not quite getting the difference between the *device* using this number to register with a network (the spoofing of which, here in the UK, is Illegal) and a patch to the OS which upon intercepting an *app* trying to get the device's IMEI returns some random BS..which, though IANAL, as far as I can tell, is *not* illegal.

The sort of stuff these developers spout against the patches ('..borderline unfriendly towards revenue mechanisms', '..unfriendly towards app publishers.' ..and damaging vendor data.') makes me suspicious of *their* motives.

Re:Cyanogen Mod

[Miamicanes]

You don't lose SenseUI from *rooting*, you lose SenseUI from replacing its stock ROM with most community Android builds. The main complaint today about most factory ROMs is that there's no graceful way to pick and choose what you want to keep. To a very, very large extent, you can either poke around and rearrange the furniture a bit (leaving most of the original stuff in place), or you can blow it all away and end up with something that often isn't quite as polished or pretty as what you had before.

The main problem is that the Android team largely left it up to manufacturers to implement core stuff like the Dialer app, and never formally defined how a "Dialer" should interact with a "Phonebook" or "Calendar". So what happens is that someone makes a custom ROM, tries tweaking the Dialer, discovers he can't, blows it away and replaces it, then discovers that it can't seamlessly integrate with anything else on the phone because it doesn't know how to interact with the phonebook or calendar. SO... he reverse engineers the phonebook and calendar on HIS phone, gets it to work with his Dialer of choice, then others try to use it and it blows up on their phones because the phonebook and calendar on THEIR phones communicates in a different way than the phonebook and calendar on HIS phone.

THIS is what people really mean when they talk about Android's "fragmented" frameworks -- there's no official standard for how a modular and extensible dialer app should work or interact with the rest of the system, so every new Dialer ends up being specific to a very small specific group of phones, and version upgrades that upgrade the Dialer app end up breaking everything that was based on the old version's reverse-engineered behavior. SenseUI does things one way, Touchwiz does things another, Motoblur does them a third, and AOSP is off in its own world with several other ways for different families of Dialers+phonebooks to interact with each other and the rest of the world.

I believe one of Google's goals for ICS has been to formally define aspects of the "phonebook/contacts/schedule" system and standardize the intents, so that at least going forward manufacturers who properly implement them will have phones that can be incrementally tweaked without having to blow everything away and throw the baby out with the bathwater the way you (mostly) do now.

Re:Cyanogen Mod

[Doc+Ruby]

Is there at least a grid or DB somewhere of phones vs firmwares that indicates which OEM features are covered, and perhaps by which optional replacement? I thought phone fans were obsessive about collecting those kinds of details about the objects of their fetish.

Re:Cyanogen Mod

[msauve]

"wtf is Android doing exposing the device IMEI number, SIM serial numbers and files, contents of Contacts lists and SMS message stores, etc to any sort of app for in the first instance?"

Well, in the first place, an app has to demand access, and receive permission from the user before it can access such things. Every time you install an app, a list of permissions to be granted is present to the user for their permission. Now, it may be the case that most users just blindly hit "accept," but that's not an OS issue.

An app may use the IMEI or s/n for licensing (to lock itself to a specific phone or user). If it's a dialer app, it would be about useless without permission to see contact info, one might want an app which could be controlled by sending it an SMS. Why should Android limit the way a device is used, as long as the user is still in ultimate control?

Re:Cyanogen Mod

[Rich0]

I suspect that "their" motive is to keep their options open, and they're not going to get job offers from phone vendors by making it harder to monetize the platform. Steve is now employed by a phone vendor so I doubt he'll ever shake things up that much.

There are now 3rd-party apps that will block these APIs, which makes me less annoyed with Android.

Android is FOSS, so you could always make a "PrivacyMod" distro that just tracks CyanogenMod but adds a few patches like these sorts of things. That would be relatively low-maintenance, and if it ever took off it would put considerable pressure on CM to adopt a more user-centric policy.

I really could care less what is good for app vendors/etc - the phone is mine, and if they can make money off MY phone that is nice, but it isn't at all important to me. I don't hold to the "just don't install the app" model - there is no technical reason why I can't have my cake, eat it too, and send a message to app vendors that they need to restrain themselves or they'll be cut off.

Re:Cyanogen Mod

[Miamicanes]

The problem is that it's hard enough to keep track of all the different Android builds available for *your own* phone, and possibly its close cousins, without even thinking about trying to do it for other brands too. Just look at the forums for Cyanogen. The guys trying to port to to Samsung phones can barely carry on a coherent conversation with the guys who've ported it to HTC phones, because their stock firmware is so architecturally different. You'd think they'd be similar because they're all ARM-based, overwhelmingly use Qualcomm radio chipsets, and all theoretically run Android... but software-wise the differences start at the kernel and device drivers, and just explode from there.

Just to give an idea of the problem's scope, look at the Samsung Galaxy S family. In theory, they were similar cousins. In reality, you couldn't even use an unaltered ROM meant for a Captivate (AT&T) with a Vibrant (T-Mobile) or i9000 (international), let alone an Epic 4G (Sprint) or Fascinate (Verizon). With great effort, you could make a Captivate-origin ROM that worked on a Vibrant, and grab bits and pieces from the Fascinate and stuff it into an Epic4G ROM, but it absolutely wasn't plug-and-play. And these were phones that were supposedly fraternal twins or first cousins. Compare any of them to anything by HTC or Motorola, and you might as well compare an Orangutan to a Kangaroo. I suspect things might be easier in Europe, but in America, even nominally-GSM phones for AT&T and T-Mobile have major differences.

Re:Cyanogen Mod

[ScrewMaster]

Problem is, you lose HTC Sense, which is one of the best UIs for Android.

In that case try one of the Virtuous Sense ROMs. They work very well, but in my case I have a T-Mobile G2, so I had to installed engineering bootloader in order re-partition my flash to allow enough space for the OS. I ended up decided that Sense wasn't for me anyway, and went back to my Cyanogenmod.

Re:Cyanogen Mod

[ScrewMaster]

You'd think they'd be similar because they're all ARM-based, overwhelmingly use Qualcomm radio chipsets, and all theoretically run Android... but software-wise the differences start at the kernel and device drivers, and just explode from there.

Now you understand why Samsung just hired Steve Kondik, founder of the Cyanogenmod project. They need someone like him very badly. Besides I, for one, won't consider a device if I can't get rid of the stock firmware and put Cyanogenmod (or another decent third-party ROM) on it. If nothing else, I simply do not trust the vendors and the carriers to play straight with me on the operating system.

You also have to give a lot of credit to the Cyanogen crew, when you look at the sheer number of supported devices, all across the spectrum from HTC to Samsung.

Re:Cyanogen Mod

[ScrewMaster]

Is there at least a grid or DB somewhere of phones vs firmwares that indicates which OEM features are covered, and perhaps by which optional replacement? I thought phone fans were obsessive about collecting those kinds of details about the objects of their fetish.

This may be helpful to you.

Re:Cyanogen Mod

[Richard_at_work]

Nah, I've had my fill of Android for the time being - I'm going back to the iPhone later this week.

Thanks for the suggestion tho, I hope it helps someone else reading this thread!

Re:Cyanogen Mod

[Doc+Ruby]

So which rooted firmware would you install on an HTC Evo Shift 4G, that would still run every app in the Android Market (and probably any other app, including ones I make myself with the SDK)? I really don't love the HTC Sense "desktop", but I don't want to live in some fork where every app I install has me second-guessing the firmware choice. And I certainly don't want to live with HTC's attacks like this one - which is a sign of things to come from HTC.

Re:Cyanogen Mod

[Doc+Ruby]

So which rooted firmware would you install on an HTC Evo Shift 4G, that would still run every app in the Android Market (and probably any other app, including ones I make myself with the SDK)? I really don't love the HTC Sense "desktop", but I don't want to live in some fork where every app I install has me second-guessing the firmware choice. And I certainly don't want to live with HTC's attacks like this one - which is a sign of things to come from HTC.

Re:Cyanogen Mod

[Doc+Ruby]

Ah - would you limit your replacement firmware choice to what that form shows is available for a given phone/orig-OS?

Re:Cyanogen Mod

[metalgamer84]

Same question I have(as a Evo Shift owner)...

Re:Cyanogen Mod

[ScrewMaster]

Well, you'd have to check cyanogenmod.com to see if your phone is on the list of supported devices. I've been running various CM versions continuously for almost three years now, and have yet to find an app that won't run. Quite the opposite: generally they perform better than under the equivalent stock release.

Yeah, I agree about HTC: that's too bad. I don't know if they've just gone "evil", or if this is an example of the known-evil carrier influence, but I stopped running stock firmware on any of my phones years ago and haven't looked back. That kind of behavior was a large part of my decision to go third-party (that and better battery life, more performance and more features than stock. Also, I didn't like being told that I can't do certain things, like tethering.)

Some carriers disable the "Allow Non-Market Apps" capability. That's enough right there to make me root and go with a CM or some other ROM.

Re:Cyanogen Mod

[Richard_at_work]

Awww did someone get all offended at the thought that someone dislikes their Android experience enough to go back to Apple? Poor poor you, don't worry, it will soon pass.

Re:Cyanogen Mod

[Miamicanes]

> Now you understand why Samsung just hired Steve Kondik, founder of the Cyanogenmod project.
> They need someone like him very badly.

You're absolutely right. Actually, Steve will help Samsung a lot, because for basically the cost of one happy full-time employee, they've effectively outsourced the long-term maintenance of their phones' firmware to dozens to hundreds of enthusiastic, highly-skilled unpaid volunteers (many of whom would be VERY expensive to hire for real as full-time employees). Samsung has NEVER been good about supporting phones with updates after they've shipped. Cyanogen went a long way towards fixing that, but had a problem -- there were hardware issues that just couldn't be easily solved without access to the proprietary bits of source that Samsung couldn't hand out to members of the public. Now that Steve's an employee under NDA, they can give him the keys to the castle and let him freely build flawless Cyanogen-optimized kernels for Samsung's phones, and leave everything else up to the community.

Re:Cyanogen Mod

[Miamicanes]

For the sake of accuracy, the only carrier known to have ever done that in the US is AT&T, and they appear to have quit doing it for new phones going forward from the Infuse, and supposedly are unlocking older phones as they roll out periodic updates over the next few months. Now, whether AT&T will KEEP leaving them unlocked if it loses its fight to buy T-Mobile, and quits trying to publicly pretend that it's non-Evil, is anybody's guess.

Re:Cyanogen Mod

[Doc+Ruby]

Will Sprint know that I've rooted my phone? How about if I enable WiFi hotspot on an unlimited data 4G phone... other than by auditing my total consumption and inferring? If they do guess, will I have violated some contract, or even just given them an excuse to cancel my contract?

If not, it seems there's practically nothing to lose except the HTC SenseUI, which seems worth losing. And in its absence, perhaps inspiration to write a different GUI shell myself, or with others.

Re:Cyanogen Mod

[Doc+Ruby]

I am very pleased that my post gave you two an excuse to discuss this subject so informedly and insightfully. Thanks for sharing it with me - and with us :).

Re:Cyanogen Mod

[Doc+Ruby]

Reading the other replies in this thread, it seems that nothing else is lost, and much is gained - if you don't mind being unconventional.

Re:Cyanogen Mod

[ScrewMaster]

Will Sprint know that I've rooted my phone? How about if I enable WiFi hotspot on an unlimited data 4G phone... other than by auditing my total consumption and inferring? If they do guess, will I have violated some contract, or even just given them an excuse to cancel my contract?

If not, it seems there's practically nothing to lose except the HTC SenseUI, which seems worth losing. And in its absence, perhaps inspiration to write a different GUI shell myself, or with others.

Well, right now I have six different so-called "home apps" loaded on my G2. Some are variants of the stock launcher, others are completely and totally different. Sometimes I switch between them depending upon what I'm doing.

Re:Cyanogen Mod

[ScrewMaster]

For the sake of accuracy, the only carrier known to have ever done that in the US is AT&T

Okay, I'll take your word for that. I've never had a smartphone on anything other than T-Mobile at this point. On the other hand, even T-Mobile disallowed tethering apps early on (my first Android device was the venerable G1.) They eventually did a complete about-face on that score, and I haven't had any grief about non-Market apps or tethering or, well, anything else really. Which is why I was very upset when I first heard about the buyout.

The upper management of AT&T (or rather, SBC) should be in irons right now.

Re:Cyanogen Mod

[Miamicanes]

Well, strictly speaking, they didn't "block" them, they just didn't allow them to be shown in Android Market. They made it non-easy for unsophisticated users, but didn't actually make it *hard* for regular users the way AT&T did.

Now, if they started poisoning DNS to make their domain appear to be invalid, or started to actually intercept and mangle http requests to their web site, that would be much more incrementally-evil and condemnation-worthy. On a scale of 1 to 10:

Filtering from Android Market: 2
DNS poisoning: 7
Http filtering: 8
Disabling installation of non-market apps: 9
Disabling ADB: 10 (I think this is actually forbidden by Google's licensing)
AT&T in General: 17
AT&T's management: off the scale. Alderaan is fucked, and only the FTC can save the rest of us.

Re:Cyanogen Mod

[metalgamer84]

Yeah, so it seems. Being unconventional is no problem, loss of functionality or reliability is, hopefully neither will be. From the looks of it, the GB 2.3.3 rom can always be reloaded on the phone so it seems I have no reason not to give CM7 a whirl.

Re:Cyanogen Mod

[ScrewMaster]

Ah - would you limit your replacement firmware choice to what that form shows is available for a given phone/orig-OS?

That's just one list and not all-inclusive. There are lots of third-party ROMs. Once you have your phone rooted, you can download a program called ROM Manager from the market: it will install a custom recovery partition and allow you to back up and restore your existing OS and applications, and will flash a number of the most popular mods, including Cyanogen and MIUI. It will only show ROMs that are compatible with your particular device.

The mind is willing

[DarkOx]

Seems to be a mind is willing, but the flesh is weak situation with the droid devices. Certainly the permissions model makes lots of sense for the type of device, but the implementations are wanting.

Why even bother specifying INTERNET perms?

[goose-incarnated]

Seriously, why bother - users don't actually care whether an app needs internet access or not, they just use the app anyway. For example, I've developed an app doesn't require internet access, yet it is still less popular than a similar app (which has less functionality) that happily uploads your private data to it's servers.

Honestly, if the users themselves don't mind sending something like their menstruation data to a third-party, why bother with an app that guarantees privacy? The privacy apps will just make less money due to having less marketing info from the users, and being unable to mine that data.

The market for users who care about their privacy is way too small to count. All users will happily allow something like "Angry Birds" to have internet access, even though it is obvious that it doesn't need it.

Re:Why even bother specifying INTERNET perms?

[Seor+Jojoba]

Your point is mostly true, but I think there are legitimate cases to call out internet permissions. I have installed a password manager that doesn't have internet permissions. If it did have it, then it could send the passwords to an internet server someplace. So I honestly checked that the program did not have internet permissions, and would not have installed it if it did have them.

Re:Why even bother specifying INTERNET perms?

[SJS]

"The market for users who care about their privacy is way too small to count. "

Just so. I've been considering buying an Android device, and in preparation was playing with Android in a VirtualBox VM. I found it very difficult to find ANY apps I was willing to run, because things that obviously should not require internet access (or some other permission) did require it.

Work has provided me with an Android phone, so I've been looking through the Applications, and most of 'em I won't install because the application (or rather, the developer of the application) demands access far beyond what is needed. It's not so much that an application requires a permission, but how many permissions many of them require.

I want a way to easily change the permissions granted to an application, without the application's knowledge. If I decide that an application has no business making or receiving a text message, I should be able to disable that capability, all without the application being aware that it's attempt to send a text message failed.

Then, I became absolutely bewildered that (apparently!) many millions of people will let some unknown app X have access to capabilities it absolutely should not need to do what it purports to do. To me that means instant distrust. I don't know what everybody else is thinking ... wish I did.

I'm sure that they're thinking that they don't have a choice.

It's *hard* maintaining a decent policy of "Don't Use Apps That Demand Stupid Things". People get tired of it all. So they say "screw it!" and forget about it, and basically wish really hard that they get lucky and don't get compromised, or have their data splashed about. (Then, to make themselves feel better about their lax policy, they harangue others for not "taking advantage" of their similiar device. They scoff at the hesitation of others in allowing unknown and untrusted third parties to have full and unfettered access to personal data. Peer pressure eventually wins.)

Most people don't have much self-discipline, after all.

Whatever your app is, kudos for taking the high road.

Seconded.

Re:Why even bother specifying INTERNET perms?

[goose-incarnated]

Your point is mostly true, but I think there are legitimate cases to call out internet permissions. I have installed a password manager that doesn't have internet permissions. If it did have it, then it could send the passwords to an internet server someplace. So I honestly checked that the program did not have internet permissions, and would not have installed it if it did have them.

My point is fully true - I went to the android market now and did a search for "password manager" - of the first five (ordered by relevance) results, only ONE (Yes, you read that correctly) does not allow internet access. Let's call them A, B, C and D and see how they compare:

A - internet access required, 100k to 500k installs
B - no internet access required, 10k to 50k installs
C - internet access required, 100k to 500k installs
D - internet access required, 10k to 50k installs
E - internet access required, 100k to 500k installs

Now, I'm not going to go through all the apps found for searching password manager", but you can see from the above that your decision to check the access is not something done by the majority - even for their passwords. The apps that come with the ability to rape privacy are more popular than those that come without it.

Re:Why even bother specifying INTERNET perms?

[robmv]

If you want to more assurance that your passwords aren't leaked to the internet don't install any other application with internet permission from the same developer. Two apps can share files if they are signed with the same key. The password application can still send the passwords to any other installed application using Intents too

Re:Why even bother specifying INTERNET perms?

[Doc+Ruby]

There's not going to be a way to disable a permission without the app that tries to get it noticing that it's disabled, when that app tries to exercise that permission and the function fails. But so what? We should be able to deny the permission in the OS, but still install the app that wants the permission. Then that function will fail. And the app will either not do what we want, in which case we'll either keep it or not, either give the permission or not, either contact the app distributor/author or not.

This prerogative in the OS seems exactly what we want from an OS: let us manage apps, even at runtime, without just letting them do whatever they want. In fact it's how firewall apps patched into an OS work: an app might try to access the network, but the OS (as configured by the user) sets what the app has permission to access. It doesn't require any support from the app for that permissioning.

It's time for an "IPC firewall" management tool in Android. It should really be part of Android. But maybe a 3rd party developer can put one out there. It's definitely worth $5, if it works.

Re:Why even bother specifying INTERNET perms?

[goose-incarnated]

All users will happily allow something like "Angry Birds" to have internet access, even though it is obvious that it doesn't need it.

[snipped]

The few people who don't like those ads go to the Amazon Appstore for Android and get the pay version of Angry Birds - no more ads.

You just made my own point for me - the paid version of Angry Birds on the amazon app store needs internet access (I just checked!).

Why? It clearly isn't for ads, perhaps its for DLC???

Re:Why even bother specifying INTERNET perms?

[nebular]

The trouble is that any app that shows ads, requires internet access to get the ads.

One of the major revenue streams in the android market are those ads as android users are much less likely to pay for an app.

What Google needs to do is separate the ad internet connection from any other internet connection.

Re:Why even bother specifying INTERNET perms?

[Seor+Jojoba]

You know that sounds like a solid idea, but I scratch my head at the specific implementation of it. If you say that internet connections for ads are a separate permission, then would Google maintain a white list of ad providers? And then for ad providers, there'd need to be some policing to check that info going to the ad servers doesn't contain personal info.

Maybe the way to handle it is to have a separate Android OS advertising API that manages the request sent to an ad provider, disallowing any possibility of sending app-specified info to the server. And then any ad provider that follows the protocol can be accessed via the advertising API with no risk of sending private info like what HTC is exposing.

Re:Why even bother specifying INTERNET perms?

[BradleyUffner]

I want a way to easily change the permissions granted to an application, without the application's knowledge. If I decide that an application has no business making or receiving a text message, I should be able to disable that capability, all without the application being aware that it's attempt to send a text message failed.

Cyanogenmod can do this if you enable some of the advanced features. Once the app is installed you can go in where you view the permissions it needs and toggle some of them off. Badly designed apps may crash, but most stuff I've done it to has happily continued running.

Re:Why even bother specifying INTERNET perms?

[ScrewMaster]

I want a way to easily change the permissions granted to an application, without the application's knowledge. If I decide that an application has no business making or receiving a text message, I should be able to disable that capability, all without the application being aware that it's attempt to send a text message failed.

Cyanogenmod can do this if you enable some of the advanced features. Once the app is installed you can go in where you view the permissions it needs and toggle some of them off. Badly designed apps may crash, but most stuff I've done it to has happily continued running.

True. And if you're still concerned, run Droidwall. I do ... if an app has no need for Internet it goes in the blacklist. If it then fails to run because of some stupid license check, or just the dev being a dick and insisting that his app get out whenever it wants, it gets uninstalled.

Email the shame.

[Seor+Jojoba]

For grumpy HTC owners that want to bitch a little or get them to fix things... http://www.htc.com/us/about/contact-by-email

Deleting This Attack

[Doc+Ruby]

How do I delete this new attack from HTC? If I can't just delete it, but instead I have to root the phone and install an Android OS not from HTC or my carrier, where is the complete list of what I'll lose when I do so? And instructions for doing it?

And where's the NY attorney general phone#, so I can report this hellish violation of any contract I had with HTC, and general privacy invasion?

Re:Deleting This Attack

[Doc+Ruby]

I'm asking the people reading this specific discussion, many of whom actually know something. Which is what real people do when having a conversation: ask each other for insights.

Unlike you, Anonymous idiot Coward, who has nothing to offer. What a loser you are that you think you're funny offering some lame old joke link. Why not offer some goatsex instead? Twit.

Re:Deleting This Attack

[Jaxoreth]

Who is the bigger fool: the fool, or the fool who replies to his troll post?

Reason not to use mobiles for authentication.

[Mattpw]

The security community needs to stop pushing mobile based token authentication. There is no reason why mobile OS's should get some kind of protected status vs their notebook counterparts. In my neck of the woods bad guys just forward all a victims calls for a few hrs anyway regardless of OS but clearly the trojan writers can make the usb jump to the users phone (EU charging mandate now) and carry on the same old tricks.

Block localhost??

[SuperKendall]

I can't see where a separate permission to allow localhost access would help at all. For one thing, how many people would know what that meant - at all? They would just mentally lump it with the internet permission if anything anyway.

For another, I can imagine there are some valid uses of connecting to a local port, possibly even some kind of IPC thing for a single application that has multiple components.

Re:Block localhost??

[fuzzyfuzzyfungus]

It wouldn't be a terribly helpful permission, for the user-knowledge/caring reasons you rightly point out.

Architecturally, though, I think that there would be a case to be made that "localhost only" and "internet only, excluding localhost" are logical subdivisions(not mutually exclusive, an application could request both); because many applications need only communication with remote hosts, and aren't necessarily to be trusted crawling over localhost behind the firewall, and others might have a legitimate need for some sort of IPC; but needn't be trusted with the ability to exfiltrate whatever they are doing.

None of this, of course, would solve the immediate problem, which is that HTC decided to ship a diagnostic application with root access and a homebrew access mechanism a zillion times worse than rlogin(seriously, HTC, ssh is free, and supports keypair authentication...)

More generally, though, I'd say that I'm in favor of more rather than less granularity in permissions structures: If you have a very, very, fine-grained permission system, and need to make it simpler for the end user, 'bundling' groups of highly-granular rights into user-friendly lumps is comparatively easy(and you can still take full advantage of the granularity in situations where you want to get fancy with the control exercised over portions of the system that the end user shouldn't need to mess with). If you have a very coarse permission system, and it turns out that you need something tighter, tacking that on after the fact is not necessarily going to be pretty...

YES it is an OS issue

[SuperKendall]

Every time you install an app, a list of permissions to be granted is present to the user for their permission. Now, it may be the case that most users just blindly hit "accept," but that's not an OS issue.

Yes it is. By having a security model that makes it more likely users will accept, that OS has introduced a security flaw.

A better approach is to grant permission at first time of access to a resource, so that you can make a judgement in context of what the app is asking for. Possibly some permissions should be asked for up front anyway, but not all... And by breaking them apart users would think more about granting them.

Many reasons

[SuperKendall]

Why? It clearly isn't for ads, perhaps its for DLC???

Even though I'm not sure exactly what Angry Birds on Android needs (aside from DLC which I know they do regularly), I can think of a lot of reasons why pretty much any game would want internet permissions:

* Highscores
* Achievements
* Reduce level size on device
* Tweeting to friends about game (yes, many games integrate with social networks).
* web pages with game help material that you wanted to be able to keep more dynamic.
* news feed for game users

Good think Android is open

[bryan1945]

N/C

Bravo

[Wovel]

Good Job HTC.