HTC Android Backdoor Leaks Private User Data

← Back to Stories (view on slashdot.org)

HTC Android Backdoor Leaks Private User Data

Posted by samzenpus on Monday October 3, 2011 @03:36AM from the like-a-sieve dept.

Trailrunner7 writes "There is a serious security issue with a variety of HTC Android phones that enables any app with Internet permissions to access a huge amount of private data on the device, including call logs, email addresses, SMS messages, last known GPS location and more. The problem was introduced via an update to the HTC phones that installed a tool called HTCLogger that collects the data."

82 comments

Min score:

Reason:

Sort:

Deja View by AB3A · 2011-10-03 03:40 · Score: 5, Informative

Didn't we discuss this Yesterday?

--
Nearly fifty percent of all graduates come from the bottom half of the class!
1. Re:Deja View by bigredradio · 2011-10-03 03:44 · Score: 1
  
  Some of us were not at "work". We missed it.
  
  --
  Flexible bare-metal recovery for Linux/UNIX
2. Re:Deja View by AmberBlackCat · 2011-10-03 03:56 · Score: 2
  
  Maybe it's just because I have an EVO 3D, but I really think this one needs to be discussed more often. Preferably on national TV.
3. Re:Deja View by Anonymous Coward · 2011-10-03 04:09 · Score: 0
  
  Don't forget, Apple announces the new iPhone tomorrow. They need to get as much Android bashing out there as possible in order to convince people to use their more expensive, inferior product.
  Expect some more mindless Android bashing for the next few days while Apple promotes their latest shiny piece of plastic with rounded corners. After all, they really need to hit a home run tomorrow, since they're being eaten alive by Android in the tablet and phone markets and were never a contender in the PC market.
  I wonder how much a Slashdot article costs these days? Whatever the price, I'm sure Apple can afford it.
4. Re:Deja View by Anonymous Coward · 2011-10-03 04:13 · Score: 0
  
  Security backdoor? Uninstall it!
5. Re:Deja View by Animats · 2011-10-03 04:26 · Score: 1
  
  Didn't we discuss this Yesterday?
  
  This points up a classic, unrecognized problem with forum systems - few of them support merging threads.
6. Re:Deja View by Anonymous Coward · 2011-10-03 04:26 · Score: 0
  
  I wonder how much a Slashdot article costs these days? Whatever the price, I'm sure Apple can afford it.
  I've always wondered why tinfoil nutters like you always come up with some convoluted conspiracy theory rather than accepting the truth which is usually quite simple. Oh well..
7. Re:Deja View by Anonymous Coward · 2011-10-03 04:40 · Score: 0
  
  apple does not need to bash android, it's half ass setup by phone companies that bastardize it does it just fine.
  Honestly, PURE android is a good thing, but the crap the phone companies do to it is what causes problems. Why cant google tell HTC that they cant use android anymore if they do not install a PURE android?
  Just come to terms that HTC and Motorola suck and you will understand.
  Oh wait, you're a fanboi who know nothing at all nor has ever touched a iPhone because all his friends are too poor to own one.. Ahhhhh... words wasted on you.
8. Re:Deja View by PIBM · 2011-10-03 05:11 · Score: 1
  
  I believe he was referring to the fact that the article was a dupe already, and that this one place the blame using android backdoor as the title, rather than the better worded previous article. Anyway...
9. Re:Deja View by Missing.Matter · 2011-10-03 05:27 · Score: 1
  
  Honestly, PURE android is a good thing, but the crap the phone companies do to it is what causes problems. Why cant google tell HTC that they cant use android anymore if they do not install a PURE android?
  Because one of the reasons manufacturers like android is the ability to customize it. They don't want you to want Android; they want you to want an HTC android, so that the next time your contract is up, you get an HTC android again instead of Samsung or Motorola or anything else. If they were required to run stock android, their ability to differentiate their product would be lowered.
  Now, I'm not saying the consumer appreciates things like HTC sense or Motoblur. The tech crowd certainly doesn't. But I do know this is the manufacturer mentality, because I remember reading concerns they had with WP7 and Microsoft's refusal to let them skin it. Honestly that's one thing they got very right about the platform.
10. Re:Deja View by ColdWetDog · 2011-10-03 05:38 · Score: 1
  
  Some of us were not at "work". We missed it.
  That should teach you not to take weekends off.
  
  --
  Faster! Faster! Faster would be better!
11. Re:Deja View by The+Good+Reverend · 2011-10-03 05:39 · Score: 1
  
  It's really too bad yesterday's /. stories disappear forever. Think of all the things we miss!
12. Re:Deja View by Anonymous Coward · 2011-10-03 06:50 · Score: 0
  
  You are correct and those "enhancements" especially Blur are what will drive my next phone purchase to something else. If I had to buy one today it would be a Nexus. Coming from an original Droid (Google Experience Device) to a Droid 3 was awful with all the bugs introduced by Blur apps - buggy dialer that won't show pictures when using Google Voice, buggy camera app, etc. Sense is a little better, but I still will go with clean Android next time. The vendor "differentiation" is working to make them all suck.
13. Re:Deja View by tlhIngan · 2011-10-03 07:00 · Score: 1
  
  Because one of the reasons manufacturers like android is the ability to customize it. They don't want you to want Android; they want you to want an HTC android, so that the next time your contract is up, you get an HTC android again instead of Samsung or Motorola or anything else. If they were required to run stock android, their ability to differentiate their product would be lowered.
  Now, I'm not saying the consumer appreciates things like HTC sense or Motoblur. The tech crowd certainly doesn't. But I do know this is the manufacturer mentality, because I remember reading concerns they had with WP7 and Microsoft's refusal to let them skin it. Honestly that's one thing they got very right about the platform.
  Well, Apple's helping to get rid of Samsung's TouchWiz crap by filing all those lawsuits (it's not just "rounded corners" but the entire package, and since TouchWiz is default set up to look pretty much like an iOS device...).
  Maybe we can ask Apple ot sue HTC and Motorola to get rid of Sense and Motoblur as well. At least turn the Apple lawsuits to do some good...
Old News by Anonymous Coward · 2011-10-03 03:42 · Score: 0

This was discussed months ago when it was discovered on XDA-Developers and HTC responded. There are details on XDA on how to remove the library and close the security hole.
1. Re:Old News by dyingtolive · 2011-10-03 04:14 · Score: 1
  
  And we appreciate your linking us to the page in question. It was most helpful.
  
  --
  Support the EFF and Creative Commons. The war is coming, and they're supporting you...
2. Re:Old News by Anonymous Coward · 2011-10-03 04:34 · Score: 0
  
  su rm -rf /data/data/com.htc.loggers pm disable com.htc.loggers # freeze the stock app, HTCLoggers.apk
  (ymmv. I don't own an HTC phone, and I made up these instructions.)
Oh gods! I'm stuck in a time loop again! by Kenja · 2011-10-03 03:42 · Score: 1

Will this day ever end? Or am I doomed to repeat it forever?

or it could just be a repost I guess....

--

"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Do Slashdot editors... by Issarlk · 2011-10-03 03:43 · Score: 2

...read Slashdot ?
1. Re:Do Slashdot editors... by Anonymous Coward · 2011-10-03 03:47 · Score: 0
  
  No, they are far too busy editing it.
2. Re:Do Slashdot editors... by Anonymous Coward · 2011-10-03 03:58 · Score: 0
  
  They edit?!
3. Re:Do Slashdot editors... by Burning1 · 2011-10-03 05:22 · Score: 2
  
  They must. That's clearly where they are plagiarizing all their content from.
4. Re:Do Slashdot editors... by Bucky24 · 2011-10-03 05:59 · Score: 1
  
  Infinite plagiarization loop!
  
  --
  All the world's a CPU, and all the men and women merely AI agents
It's... by Anonymous Coward · 2011-10-03 03:44 · Score: 0

...Dupe-O-Licious! (TM)
http://yro.slashdot.org/story/11/10/02/1829237/security-vulnerabilities-on-htc-android-devices
Contract Problems? by MarkvW · 2011-10-03 03:44 · Score: 2

Phone companies have you sign adhesion contracts when you sign up for their services. In other words, "take it or leave it" contracts. These contracts are incredibly one-sided.
If the full extent of the agreement is laid out in the contract and the contract is not "unconscionable," the contract will be enforced.
I suspect that terms of a contract that allow a telephone provider to negligently harm a phone user in ways no phone user could reasonably anticipate would be considered an unconscionable contract.
That could open the door for money damages.
The phone companies work hard to get legislation to slam shut your right of access to the courts.
1. Re:Contract Problems? by Archangel+Michael · 2011-10-03 05:32 · Score: 1
  
  Then don't use a cell phone. Yes, they track you. Duh.
  
  --
  Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Need more details by Anonymous Coward · 2011-10-03 03:48 · Score: 0

The problem was introduced via an update to the HTC phones . . .
An update? What crazy world do you live in where phones get updates? I don't even have Froyo for fuck's sake!
Snark aside, we need more information. Carriers, phones, what version of Android you're running, and so on.
1. Re:Need more details by Dark+Lord+of+Ohio · 2011-10-03 03:56 · Score: 0
  
  my phone gets updates, fool! At least its firmware updates, so don't fucksake here and read some magazine... or something.
2. Re:Need more details by Jeng · 2011-10-03 04:27 · Score: 1
  
  My phone got updated to 2.3.4 via an automatic update from T-Mobile. Running an HTC G2.
  
  --
  Don't know something? Look it up. Still don't know? Then ask.
It's October-groundhog day by davidwr · 2011-10-03 03:49 · Score: 1

It's like it's October 2 all over again!

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
1. Re:It's October-groundhog day by treeves · 2011-10-03 07:02 · Score: 1
  
  If Punxsutawney Phil sees his shadow on Oct. 2nd we're stuck with another six weeks of summer?
  
  --
  ...the future crusty old bastards are already drinking the Kool-Aid.
2. Re:It's October-groundhog day by gmhowell · 2011-10-03 12:05 · Score: 1
  
  Is that Sonny and Cher I hear singing?
  
  --
  Jesus was all right but his disciples were thick and ordinary. -John Lennon
this is old news... by Dark+Lord+of+Ohio · 2011-10-03 03:53 · Score: 1

... but wait for tomorrow. Apples big day will last at least 3 months.
iPhones do not appear impacted by bhlowe · 2011-10-03 03:58 · Score: 1

This security breach does not appear to affect the iPhone 5 to be released tomorrow.
1. Re:iPhones do not appear impacted by Anonymous Coward · 2011-10-03 04:36 · Score: 0
  
  No shit?
2. Re:iPhones do not appear impacted by Anonymous Coward · 2011-10-03 04:39 · Score: 0
  
  Are you are troll or just stupid?
3. Re:iPhones do not appear impacted by Rob+Riggs · 2011-10-03 04:52 · Score: 1
  
  Are you are troll or just stupid?
  False dichotomy.
  
  --
  the growth in cynicism and rebellion has not been without cause
4. Re:iPhones do not appear impacted by Bucky24 · 2011-10-03 06:00 · Score: 1
  
  Probably because iPhones don't have the HTCLogger tool. Nor will they likely have said tool in the future.
  
  --
  All the world's a CPU, and all the men and women merely AI agents
5. Re:iPhones do not appear impacted by Anonymous Coward · 2011-10-03 07:41 · Score: 0
  
  Well, that's because they didn't need a tool to do anything. Leaking GPS data (among other things) was an integral part of the OS.
6. Re:iPhones do not appear impacted by Anonymous Coward · 2011-10-03 07:51 · Score: 0
  
  WHOOOOSHH!!!!
Problem for who? by Anonymous Coward · 2011-10-03 04:00 · Score: 0

A problem with a device that allows the owner of the device to view and delete or to dispose of private, personal data at will .. by the owner of the device is not a problem for the owner of the device, is it?
1. Re:Problem for who? by ae1294 · 2011-10-03 04:05 · Score: 1
  
  are you a poorly crafted chatbot?
2. Re:Problem for who? by dyingtolive · 2011-10-03 04:13 · Score: 3, Funny
  
  He must work for the Official Organizational Body That Specializes in Unmaking Things Simple and Consice by Unwieldily Phrasing Things Not in a Way Most People Would Easily Parse. It's also known by it's acronym, OOBTSUTSCTNWMPWEP, not to be confused with OOBTSUTSCUPTNWMPWEP, which, as well all know is the acronym for Obfuscated Acronym Bureau.
  
  --
  Support the EFF and Creative Commons. The war is coming, and they're supporting you...
3. Re:Problem for who? by drosboro · 2011-10-03 06:35 · Score: 1
  
  He is a unicorn.
Jimmy Two-Times by Anonymous Coward · 2011-10-03 04:01 · Score: 0

I'm gonna go get the papers, get the papers.
This looks really serious... by MrCrassic · 2011-10-03 04:08 · Score: 1

I'm usually skeptical to "GAPING HOLE" stories like this, but the Android Police article referenced in the article provided (link here) clearly demonstrates that this is a serious problem.
Google or, I think, HTC can just remove the app OTA until they clean this up. I can see why they need SOME of that data (build information, phone information, stack trace, etc), but what are they going to do with SMS messages and call history??
1. Re:This looks really serious... by Anonymous Coward · 2011-10-03 04:18 · Score: 0
  
  They are going to incorporate it into Google+ of course! Why wouldn;t they harvest everything they can and post or sell it. It is working well for the social competition.
2. Re:This looks really serious... by Anonymous Coward · 2011-10-03 05:48 · Score: 0
  
  They are going to incorporate it into Google+ of course! Why wouldn;t they harvest everything they can and post or sell it. It is working well for the social competition.
  You do know that HTC doesn't own Google+, right?
Disappointed in lack of comments in these posts by blahbooboo · 2011-10-03 04:12 · Score: 1

Why are there a measly 82 comments in the prior post and this one isn't generating a lot? This is a significant finding, and when this happens on iOS slashdot has 500+ comments. Perhaps the low comment number is because the apple folks aren't as crazy with trolling on android as vice versa?
1. Re:Disappointed in lack of comments in these posts by dyingtolive · 2011-10-03 04:22 · Score: 1
  
  I'm guessing most people take a glance at it, look at their rooted phones not running Sense or running a version of Sense old enough to not have HTC's "update" in it, and then they go on about their lives. I know that the version of VirtuousROM that I'm running doesn't have the apk they mention in the article on it.
  
  As far as an equivalent iOS issue, aren't you kind of just stuck with it if it's there? I mean, you can't just trivially remove the offending package or change OS or something, can you?
  
  --
  Support the EFF and Creative Commons. The war is coming, and they're supporting you...
2. Re:Disappointed in lack of comments in these posts by MikeMo · 2011-10-03 04:44 · Score: 1
  
  I have noticed that bad news about Android devices in general either generates a lot of Apple hate posts or no posts at all. It's like slashdot folks avert their eyes whenever bad news pops up. Note the paucity of bad news about Android on slash in general - it just doesn't make the front page.
3. Re:Disappointed in lack of comments in these posts by Calibax · 2011-10-03 05:03 · Score: 1
  
  What percentage of HTC phone owners actually know how to root their phones and consider it worth the time and effort? I'd take a bet it's way less than 5%, not "most people" as you suggest.
4. Re:Disappointed in lack of comments in these posts by blahbooboo · 2011-10-03 05:21 · Score: 1
  
  What percentage of HTC phone owners actually know how to root their phones and consider it worth the time and effort? I'd take a bet it's way less than 5%, not "most people" as you suggest.
  Exactly.
5. Re:Disappointed in lack of comments in these posts by Belial6 · 2011-10-03 06:00 · Score: 5, Insightful
  
  I suspect the difference is that there is little to discuss. 82 comments is plenty for everyone to see that everyone agrees this is a problem. Whereas when there is a problem on Apple devices, Apple fanboys come out in droves to try and rationalize away the problem.
  
  If you want to verify this, just review the two threads and see how many people claim it isn't a problem for the the people that own the effected phones. Then go to the Apple tracking threads and count the number of people who claim it isn't a problem for people that own the effected phones.
  
  Honestly, I'm not sure if you are trolling, or if you actually don't see this.
6. Re:Disappointed in lack of comments in these posts by dyingtolive · 2011-10-03 06:06 · Score: 1
  
  As this is the site eternally waiting for the "Year of Linux on the Desktop," I'd hope it's a lot more than 5%. I'm just excusing why there is less outrage HERE, not around the world.
  
  --
  Support the EFF and Creative Commons. The war is coming, and they're supporting you...
7. Re:Disappointed in lack of comments in these posts by iluvcapra · 2011-10-03 06:18 · Score: 1
  
  "HTC phone owners" or "slashdot-reading HTC phone owners"?
  There's this sort of attitude that says that anyone who runs Android accepts the consequences, because it's "open" in this sense and you can read the source and make your own changes. People who run iOS are forced to make a somewhat more authoritarian argument because they don't really have much granular control over what they run on their phone and don't have complete control over the consequences -- and so you end up having big arguments over wether the iPhone or whatever is a good product en toto, and whether ot not Apple policy X is good or bad.
  Android comment threads aren't as spicy because most slashdot-reading Android users have the attitude that everything disagreeable about Android is opt-out, even if it's a Hobson's choice a lot of the time, and the disagreeable aspects of Android are the only things keeping manufacturers selling it.
  
  --
  Don't blame me, I voted for Baltar.
8. Re:Disappointed in lack of comments in these posts by scot4875 · 2011-10-03 10:36 · Score: 1
  
  I'm thinking a couple of reasons:
  HTC doesn't have nearly the marketshare of the iPhone. It's only one of many players in the Android handset market. A lot of people don't give a shit about HTC's security problems.
  Second, many of us who *do* have HTC phones have installed Cyanogen or some other ROM and it's a non issue. I bought a HTC phone for the hardware, not the software. What they do to fuck up their default OTAs is a complete non-issue to me because I have the freedom to not deal with their default OTAs.
  That said, hopefully this isn't indicative of things to come from HTC. I like their hardware and their hacker-friendly mentality and would hate to have to start avoiding them.
  --Jeremy
  
  --
  Jesus was a liberal
9. Re:Disappointed in lack of comments in these posts by scot4875 · 2011-10-03 10:38 · Score: 1
  
  And I'll bet that of the demographic that frequents Slashdot, it's much higher than that; probably "most people" for the context of usual commenters to Slashdot posts.
  --Jeremy
  
  --
  Jesus was a liberal
10. Re:Disappointed in lack of comments in these posts by Anonymous Coward · 2011-10-04 00:10 · Score: 0
  
  I have noticed that bad news about Android devices in general either generates a lot of Apple hate posts or no posts at all. It's like slashdot folks avert their eyes whenever bad news pops up. Note the paucity of bad news about Android on slash in general - it just doesn't make the front page.
  This is NOT bad news about Android, it's bad news about HTC and specifically one of their in-house apps.
  One of the drawbacks to controlling the OS, the hardware, AND the software like Apple does, is that you're responsible when anything gets fucked up with any of those parts of it.
  So yeah, it's logical that you'd see more griping about Apple than Android in this regard.
Bites by Anonymous Coward · 2011-10-03 04:24 · Score: 0

Bite my shiny metal android backdoor.
1. Re:Bites by Anonymous Coward · 2011-10-03 15:37 · Score: 0
  
  Not until it stops leaking!
Weird by jimmerz28 · 2011-10-03 04:42 · Score: 1

I guess HTC wants to prompt me to root my phone and install a ROM? Cause that's what this finding did.
Get with the plan by Calibax · 2011-10-03 04:55 · Score: 1

Didn't you get the memo? It's very cool to dislike Apple, but it's totally not cool to beat up on Android (and by extension, Android vendors). In fact it's so very un-cool that we need to ignore Android related problems - not that there are (or ever will be) any.
1. Re:Get with the plan by blahbooboo · 2011-10-03 05:22 · Score: 1
  
  haha i didn't realize. You're actually correct... the apple posts also generate more hits for slashdot so that explains the apple posts here as well..
2. Re:Get with the plan by Anonymous Coward · 2011-10-03 05:42 · Score: 0
  
  In fact it's so very un-cool that we need to ignore Android related problems - not that there are (or ever will be) any.
  You mean we should treat it like Slashdot treats Mac OS X malware?
One question. by JustAnotherIdiot · 2011-10-03 05:18 · Score: 1

I'm usually too lazy to do things such as rooting, but this (along with a few other things) seriously make me want to get a custom ROM for my phone.
Any suggestions for an HTC incredible 2?

--
What do I know, I'm just an idiot, right?
1. Re:One question. by blahbooboo · 2011-10-03 05:24 · Score: 1
  
  Uber nerds like the crazy amount of customization available in cyanogen.
  I enjoyed just plain vanilla android. Clean and simple.
2. Re:One question. by kgoods · 2011-10-03 05:54 · Score: 1
  
  >>Uber nerds like the crazy amount of customization available in cyanogen. >>I enjoyed just plain vanilla android. Clean and simple. Or not so much the customization but the more-than-obvious performance boost. I have a HTC Hero, the contact is not up for another 8 months and it was getting painfully slow. Rooted it and installed cyanogen and it's like a new phone. I don't really care so much about the bells and whistles, but the responsiveness has improved so much that I may not even upgrade when this contract is up. You can have clean and simple with cyanogen if you want, plus, did I mention it is FAST? :)
3. Re:One question. by blahbooboo · 2011-10-03 06:00 · Score: 1
  
  Is it faster than vanilla android? In my test it didn't seem so...
4. Re:One question. by kgoods · 2011-10-03 06:09 · Score: 1
  
  Easily... but that could have more to do with the vanilla being 2.1 and cyanogen being 2.3.3. Don't know don't care... happy with it the way it is. ;)
5. Re:One question. by JustAnotherIdiot · 2011-10-03 08:23 · Score: 1
  
  When you say vanilla, do you mean the image I got on the phone out of the box?
  Because that's bogged down with all kinds of crap I don't need from verizon and HTC.
  
  --
  What do I know, I'm just an idiot, right?
6. Re:One question. by YoopDaDum · 2011-10-03 21:00 · Score: 1
  
  On an Incredible S (should be the same as 2, just different market and name) if I use AndExplorer (free app) to look into the device /system/app directory I don't see an HTCLogger.apk file. I'm not experienced enough to say this model is not affected for sure, but it looks like the application causing the problem is not installed. This check is very easy to do, so if an experience Android person can tell whether it's reliable or not it'd be nice.
7. Re:One question. by blahbooboo · 2011-10-04 16:28 · Score: 1
  
  Vanilla means pure android without bloatware, skins, etc. Like it's a Nexus type android phone
8. Re:One question. by JustAnotherIdiot · 2011-10-05 01:36 · Score: 1
  
  I'd be perfectly fine with that, in that case.
  
  --
  What do I know, I'm just an idiot, right?
Must be Apples fault by thetoadwarrior · 2011-10-03 05:23 · Score: 1

Somehow Apple must to be blame. Android is open source goodness and with so many eyes looking over the code it couldn't have flaws.
1. Re:Must be Apples fault by wrygrin · 2011-10-03 06:24 · Score: 1
  
  Somehow Apple must to be blame. Android is open source goodness and with so many eyes looking over the code it couldn't have flaws.
  that may have been intended as stinging sarcasm, but the problem is with a component of HTC's proprietary Sense overlay. that sorta takes any point out of your mockery.
  
  --
  everything leaks
2. Re:Must be Apples fault by thetoadwarrior · 2011-10-03 06:44 · Score: 1
  
  It was sarcasm and it was more to the point that people think that Android is better because it's open source but imo it's not that open because of things like Sense so it's slowly losing any sort of benefit to being open source.
3. Re:Must be Apples fault by Anonymous Coward · 2011-10-03 07:57 · Score: 0
  
  And we obviously have to blame the AOSP for that. Not HTC, not any manufacturer, but Android itself.
4. Re:Must be Apples fault by dudpixel · 2011-10-03 14:21 · Score: 1
  
  um, its HTC, not Android...but the humour was noted.
  The joke is a little old though...
  
  --
  This seemed like a reasonable sig at the time.
You really seem to be obsessed with Apple. by Brannon · 2011-10-03 10:40 · Score: 1

Lets talk about what else you have going on in your life. We're all here to help, but most importantly, we're here to listen. This is a safe place.
solution by cool_arrow · 2011-10-04 13:22 · Score: 1

root phone and install LBE privacy guard. Works well it seems. http://lifehacker.com/5807797/lbe-privacy-guard-monitors-and-controls-what-permissions-your-android-apps-have