FTC to HTC: Patch Vulnerabilities On Smartphones and Tablets

New submitter haberb writes "I always thought my HTC phones were of average or above average quality, and certainly no less secure than an vanilla Android install, but it turns out someone was still not impressed. 'Mobile device manufacturer HTC America has agreed to settle Federal Trade Commission charges that the company failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed sensitive information about millions of consumers at risk.' Perhaps this will push HTC to release some of the ICS upgrades they promised a few months ago but never delivered, or perhaps the reason they fell through in the first place?"

Cyanogen Mod.

[pecosdave]

The best software patch I've found for HTC products, though I have tried others.

Re:Cyanogen Mod.

[monkeyhybrid]

Not just for HTC phones. I'd be tempted to flash CyanogenMod on any supported phone if it's not a Nexus device (and even then there are advantages with CM, especially with older Nexus devices that were deemed not powerful enough for 4.x).

Re:Cyanogen Mod.

[puto]

I am a tech support manager at one of the largest cell carriers in the US, and while HTC might have nice hardware, they are very shoddily made and usually about 3 months into it 40-60% of the phones crap out multiple times and we have to end up giving out Samsung as replacements. Which is why you see the HTC 1X selling new for 99 cents, because it is a horrible piece of crap.

Re:Cyanogen Mod.

[pecosdave]

My buddy who is a sys-admin for a rather sizable company talked me out of getting a Galaxy S and getting an Evo 4G (WiMax original) instead. His experience, running IT for an organization with a really healthy blend of multiple types of handsets was that the HTC's were physically much more durable than the Samsungs.

My personal experience doesn't include a Samsung phone, but I'm rough on stuff. I've got bent keys in my pocket because they were bent in my pocket. I work at the Johnson Space Center running cables under the floor, up walls, I'm regularly on ladders, in the sub-floor and I even do work on the side. I destroy or work pager or two a year while I'm rolling over on the phone in my pocket at the same time. My original Evo held up until I dropped it face down on a rock by an accident, losing it off of a bicycle moving at a fairly quick pace. My current one, an LTE Evo model has held up for nine months so far. The work pager's been replaced at least once since I've gotten it.

To clear things up - I've got a slightly warped Leatherman pocketknife (not an normal multi-tool). I'm rough on stuff. Part of the reason I wear carpenter pants is I like putting my phone in the leg pocket. It took two years to make my old Evo get buggy. It still works - post screen replacement - and I've got it setup for my daughter to play games on it. It still worked fine as a phone as of the day I decommissioned it - the signal just wasn't as reliable as it my coworkers identical phone on an identical plan anymore and hey, newer model out there. Before my Evo I destroyed on iPhone 3G and the replacement for that (also iPhone 3G) had a crack in the case, the WiFi and Bluetooth no longer worked, but the phone itself still did.

You may have some experience I don't in this area. I just don't see it.

Also your username means ass.

Perhaps...

[Mitreya]

company failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed sensitive information about millions of consumers at risk

It should also be illegal to install bloatware that is embedded to the point of not being removable (without at least rooting the device and perhaps voiding warranty). Nothing makes the phone more secure than facebook processes -- there are several, and a dozen other built-in crapware clients (peddling games, services, etc).

And I don't think that buying full-priced phone changes anything, either.

Re:Perhaps...

[hedwards]

I briefly had a Motorola Backflip and I loved the concept of it. Unfortunately, it was underpowered to begin with and AT&T insisted upon larding it up with all sorts of things that would run and make it even slower.

It's a shame, because the device was actually fairly nice in other respects.

Re:Perhaps...

[anagama]

Yeah -- but there are other's you can't do anything about. Dropbox or Google+ for example: only options are "force stop" and "uninstall updates". How about a flat out "uninstall".

Re:Perhaps...

[KGIII]

I used to have an HTC Merge. I had rooted (and unlocked, of course) the phone. I sent it in for a repair twice, to HTC itself not an insurance claim, and though the second time resulted in my getting a different phone returned to me I never once had anyone complain or deny my warranty because of this. YMMV and I have since moved away from HTC, great hardware though. I'm pretty rough on stuff.

Re:Perhaps...

[tlhIngan]

Everyone talks about "voiding the warranty."

But has anyone ever actually had a warranty claim denied just because the phone is/was rooted and/or running different software?

Indeed, even HTC's own warranty statement doesn't seem to automatically exclude coverage for devices that are simply running different software.

Well, the thing is, most people do NOT file warranty claims - they go back to their carrier and ask what to do. Because what happens if you have to send the phone to HTC and then wait for them to replace it - if you're lucky, it'll take a week. Most of the time it'll take 2 or more weeks. And you'll be spending a chunk on shipping and other things to get your RMA in.

Most people will just go back to their carrier and then figure out what to do. If they broke the screen, they'd probably buy a new phone, or do an early upgrade. If it's a real fault like a bad power burron, they'd probably replace it or steer you towards the extended warranty.

About the only people who do actually claim warranties are for Apple phones - mostly because you just go into the store and they can replace it on the spot. But you can't do that at a Samsung store, a Microsoft store, or other manufacturer store.

But claiming warranty service is always a PITA - you call them up, get an RMA, ship it off, wait for it to be returned, etc. etc. etc.

Carriers often provide their own warranty and extended warranty, and have the bulk power to basically make the manufacturer responsible for it - they'd just return them back en masse and claim it against future shipments. When that happens, who broke it, etc. gets lost and a company like HTC is in no way going to be able to individually deny warranty claims because it takes too much work when you're getting 1000 phones sent back.

Most will simply be reflashed and tested - if they work, great, if not, fix it or use it for parts. Now, if it was you or I doing the whole warranty thing, maybe they'll test it and deny the claim. But when the carrier is returning thousands at a time (which could be a month or so), it's not so practical. Plus, unlike Apple, these companies NEED carrier business. If HTC started denying claims, the carrier can simply not bother to purchase HTC phones (or buy a lot less of them).

Bad summary.

[msauve]

Granted, HTC was late in delivering ICS to the Thunderbolt. But, contrary to the summary's claim and link ("upgrades they promised a few months ago but never delivered"), it was in fact delivered - a few weeks ago.

Re:Bad summary.

[icebike]

Right. Why do summary writers always try to force the story toward their pet peeve.

Further this FTC settlement had NOTHING to do with what version of Android was installed, but rather the diagnostics and monitoring applications they had installed, mostly at the carriers request.

Both "Carrier IQ", something demanded by carriers, till they got caught, and "Tell HTC" a bug reporting software, ended up leaving logs on the phone that contained private data in clear-text, and transmitted that data to the carriers or to HTC in un-encrypted format. It also had to do with the handling of that data once it was delivered to the carriers and more specifically to HTC.

Why the summary writer had to make it about something else is beyond me.

Re:Bad summary.

[anagama]

To be clear, this is what the vulnerability did:

Let me put it another way. By using only the INTERNET permission, any app can also gain at least the following:

        ACCESS_COARSE_LOCATION Allows an application to access coarse (e.g., Cell-ID, WiFi) location
        ACCESS_FINE_LOCATION Allows an application to access fine (e.g., GPS) location
        ACCESS_LOCATION_EXTRA_COMMANDS Allows an application to access extra location provider commands
        ACCESS_WIFI_STATE Allows applications to access information about Wi-Fi networks
        BATTERY_STATS Allows an application to collect battery statistics
        DUMP Allows an application to retrieve state dump information from system services.
        GET_ACCOUNTS Allows access to the list of accounts in the Accounts Service
        GET_PACKAGE_SIZE Allows an application to find out the space used by any package.
        GET_TASKS Allows an application to get information about the currently or recently running tasks: a thumbnail representation of the tasks, what activities are running in it, etc.
        READ_LOGS Allows an application to read the low-level system log files.
        READ_SYNC_SETTINGS Allows applications to read the sync settings
        READ_SYNC_STATS Allows applications to read the sync stats

http://www.androidpolice.com/2011/10/01/massive-security-vulnerability-in-htc-android-devices-evo-3d-4g-thunderbolt-others-exposes-phone-numbers-gps-sms-emails-addresses-much-more/

Note the date of that article. (!)

Apple Phones have too many problems

[tuppe666]

HTC is the only company who sells Android phones that I'd consider buying. Too bad Android apparently has issues with security updates / etc. Sure, blame the vendor... But this seems to be a prevalent problem with Android based phones.

Lets have a little look at security on the iPhone...hmmm you can just fiddle with the power button and making an emergency call then immediately hang up, and it bypasses the passcode.

Perhaps you would have been better with a HTC phone after all ;)

...yet more satisfying than the iPhone

[tuppe666]

http://ondeviceresearch.com/blog/iphone-5-ranked-fifth-in-user-satisfaction%2C-behind-four-android-powered-devices#sthash.9vdyrgB2.7dG9XnAT.dpbs On device research found the One X to be the most satisfying phone in the UK beating out the iPhone.

Nexus 7

[tuppe666]

All this an a sainted device from Google

Except people [including myself have been incredibly impressed with having a high resolution; quad-core; small tablet running latest Android....and so are the reviews. Top searches on Google

http://www.techradar.com/reviews/pc-mac/tablets/google-nexus-7-1087040/review 4.5 stars
http://www.pcpro.co.uk/reviews/tablets/379261/nexus-7 3x 5 out of 6 and 1x6 out of 6
http://www.expertreviews.co.uk/laptops/1297408/google-nexus-7 5 out of 5 User 5 out of 5 expert
http://reviews.cnet.com/google-nexus-7/ 4 out 5
http://www.wired.co.uk/reviews/tablets/2012-11/google-nexus-7 9 out of 10
http://www.theverge.com/products/nexus-7/5831 8.8 expert 9.1 User
http://www.laptopmag.com/review/tablets/google-nexus-7.aspx 4 out of 5
http://www.pcmag.com/article2/0,2817,2406552,00.asp 4.5 out of 5

I know you love Apple but right now Apple need compelling products, priced competitively not fanatics spreading lies. It simply tarnishes the Apple brand more, and its been damaged enough just lately.